From rforno at infowarrior.org Thu Oct 1 06:19:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Oct 2015 07:19:51 -0400 Subject: [Infowarrior] - The Cost of Mobile Ads on 50 News Websites Message-ID: The Cost of Mobile Ads on 50 News Websites By GREGOR AISCH, WILSON ANDREWS and JOSH KELLER OCT. 1, 2015 Ad blockers, which Apple first allowed on the iPhone in September, promise to conserve data and make websites load faster. But how much of your mobile data comes from advertising? We measured the mix of advertising and editorial on the mobile home pages of the top 50 news websites ? including ours ? and found that more than half of all data came from ads and other content filtered by ad blockers. Not all of the news websites were equal. < -- > http://www.nytimes.com/interactive/2015/10/01/business/cost-of-mobile-ads.html -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 1 12:48:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Oct 2015 13:48:41 -0400 Subject: [Infowarrior] - Newly disclosed Android bugs affect all devices Message-ID: Newly disclosed Android bugs affect all devices / Cory Doctorow / 10:37 am Thu Oct 1, 2015 http://boingboing.net/2015/10/01/newly-disclosed-android-bugs-a.html The newly released bugs are part of the Stagefright family of vulnerabilities, disclosed by Zimperium Zlabs. Stagefright was first disclosed in April, with a demonstration that allowed for infection via SMS. The two new Stagefright vulns expand the range of affected devices to all versions of Android since 2008's version 1.0, and spread via MP3s and MP4s. Google was informed of the bugs on August 15, but has not yet released a patch. They say a patch will come on Oct 5. Android has been fragmented by phone hardware makers and carriers, who've been eager to put their own stamp on the OS, and in some cases, to restrict functionality such as tethering. As a result, the patch (when it ships) will take a long time to reach all affected devices -- in many cases, it won't even be available until the carrier/vendor gets around to pushing it out. Many countries have "anti-circumvention" laws on the books, put there at the insistence of the US Trade Representative, that makes jailbreaking your phone illegal. For people whose vendors don't patch this bug (or patch it late), the only way to secure their handsets will be to jailbreak them and install an OS that bypasses the vendor, breaking the law. The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google?s Hangouts and Messenger apps, the likely attack vector would be via the Web browser. An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign) An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser. 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 1 16:44:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Oct 2015 17:44:50 -0400 Subject: [Infowarrior] - 15m T-Mobile customers affected in Eperian data breach, Message-ID: <32A33CEA-4270-4C5F-9EF3-29CC59F6B35D@infowarrior.org> (Note the credit reporting agencies like Experian are the holy grail of targets for data theives. They have OPM-like PII on many many customers. ---rick) Experian reports data breach; more than 15M T-Mobile customers affected Reem Nasr | @reemanasr 1 Hour AgoBreaking News http://www.cnbc.com/2015/10/01/experian-reports-data-breach-involving-info-for-more-than-15m-t-mobile-customers.html Global information services group Experian announced Thursday that one of its business units had been hacked. The breach occurred on a server that contained data on behalf of one of its clients, T-Mobile. The data includes personal information for a combination of about 15 million customers and credit applicants in the U.S. The company said that the incident did not impact its own consumer credit database. The ADRs of Ireland-headquartered Experian closed Thursday up nearly 1.7 percent to $16.38, while shares of T-Mobile were down more than 1 percent in extended trading. In a letter to consumers, T-Mobile CEO John Legere said the following: "Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile's systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information." Legere also said that any customers concerned that they may have been impacted can sign up for two years of free credit monitoring and identity resolution services at Experian's "Protect My ID" program. Experian said it took immediate action upon finding the breach: it secured the server, initiated a comprehensive investigation and notified U.S. and international law enforcement. The data stolen included names, dates of birth, addresses and Social Security numbers. No payment card or banking information was acquired, the company said. "We take privacy very seriously and we understand that this news is both stressful and frustrating. We sincerely apologize for the concern and stress that this event may cause," said Craig Boundy, CEO of Experian North America. "That is why we're taking steps to provide protection and support to those affected by this incident and will continue to coordinate with law enforcement during its investigation." -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 1 16:55:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Oct 2015 17:55:46 -0400 Subject: [Infowarrior] - When Security Experts Gather to Talk Consensus, Chaos Ensues Message-ID: When Security Experts Gather to Talk Consensus, Chaos Ensues Author: Kim Zetter. Kim Zetter Security http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ Security researchers and vendors have long been locked in a debate over how to disclose security vulnerabilities, and there?s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That?s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. ?I spent $2,000 [to come to this meeting],? Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there?s a second meeting, ?should at least be an option? for discussion. 'Everyone is a software company. Everyone is going to grapple with this problem.' Organized by the National Telecommunications and Information Administration (NTIA), a division of the US Commerce Department, the six-hour meeting marked one of the government?s first forays into the controversial world of bug reporting. But not all of the participants entirely welcomed the government?s involvement?some of them pointed out that a government that withholds information about zero-day vulnerabilities from software vendors in order to exploit them in the systems of adversaries is not exactly in a position to tell researchers and vendors how to handle the vulnerability disclosure process. Some participants also expressed mistrust privately to WIRED that the meeting might simply be the first step in yet another government attempt to regulate software research. ?The DMCA has already created a chilling effect on some research,? one participant, who asked to remain anonymous, said. ?The Wassenaar agreement is [also] a problem. This is the Commerce Department. What makes you think they won?t take [information gathered from this meeting] to Congress [to get legislation passed]?? The 1998 Digital Millennium Copyright Act (DMCA) has often been used by companies to threaten researchers who reverse-engineer software and products to find vulnerabilities. As for the Wassenaar Arrangement, which is an international arms control agreement that calls for export controls on the sale and trafficking of certain types of surveillance software, the Commerce Department has drafted US export rules to comply with it. Security professionals say these rules would thwart security research and bug disclosures. But Allan Friedman, the NTIA?s director of cybersecurity, assured the crowd, which included those watching a livestream over the Internet, that the Commerce Department?s role was simply to facilitate a discussion between stakeholders?not to impose solutions. Many Companies Are New to the Security Disclosure World Whether or not concerns about government regulation are reasonable, the gathering did achieve one important thing. It brought together traditional companies that have been dealing with disclosure issues for years?such as Google, Microsoft, and Oracle?with representatives from companies like General Motors and Honda that are new to the world of security disclosures. The auto industry has awoken to the vulnerability issue only recently, following several high-profile hacks of automobiles by researchers. And at least one person was there representing the medical industry, which has had its own run-ins with researchers recently. All of this is a sign that the definition of ?software vendor? has expanded in recent years to include the makers of products that previously contained no digital code. It also highlights the need for these new players to learn from the start how to avoid making the same mistakes their predecessors made in dealing with researchers. ?Everyone is a software company [today],? Josh Corman, CTO of Sonatype, a firm that develops enterprise software tools, told the audience. ?Everyone is going to grapple with this problem [of vulnerability disclosure at some point].? Unfortunately, he noted, ?99 percent of the people tracking with this issue are at day zero? in their understanding of how to deal with researchers and software vulnerabilities. Many of these new players are in the position that Microsoft and other companies were 15 years ago, when vendors saw researchers as adversaries rather than assets. ?Fifteen years ago, friends got cease-and-desist letters from Microsoft and framed them,? Corman said. ?Now Microsoft is giving six-figure [bug] bounties. That mean-time to enlightenment took 15 years, so do not expect that these people who are in the 99 percent [will] wake up overnight. They will have a steep learning curve.? He?s hopeful, however, that companies entering the arena today will learn faster than their predecessors. ?We want to compress that mean-time to enlightenment from 15 years to maybe three.? But if comments made at the meeting are any indication, both sides still have to overcome negative perceptions of each other. Members of the audience snickered, for example, when a representative from the auto industry pleaded that researchers should consider ?safety? when testing for vulnerabilities. At a bar after the event, some attendees said automakers are the ones who don?t seem concerned about consumer safety when they sell cars that haven?t been pen-tested for vulnerabilities or when it takes them five years to fix a known vulnerability. And when Corman sought community support for new companies entering the bug bounty arena, some attendees responded with derision. He noted that after United Airlines launched its bug bounty program this year?the first for the airline industry?it suffered backlash from the security community instead of support. ?United took a baby step and put their toe in the water, [and] the research community bit it, like a piranha, down to the bone,? he said. ?It really scared other companies.? But Neal Krawetz, founder of Hacker Factor Solutions, pointed out that ?50 percent of the United bug bounty program?s announcement were warnings about how they would sue you if you did certain things.? The Rift Between Security Researchers and Vendors Runs Deep This is not the first time someone has attempted to resolve the issues between researchers and vendors. The rift between them goes back nearly two decades. In 2000, a prominent hacker and researcher who went by the name Rain Forest Puppy crafted a ?full disclosure? policy for publishing information about security holes that hackers and other researchers discovered. Back then, it wasn?t unusual for a researcher to disclose a vulnerability to a software maker or web site owner, only to be ignored?or to be served a letter accusing them of illegally hacking or reverse-engineering the software or system. Some researchers fought back by bypassing vendors altogether and simply disclosing information about holes directly to the public, through the media or conference presentations. This kind of approach embarrassed vendors, but it also made them more likely to fix the hole and leave the researcher alone. Puppy?s disclosure policy proposed that researchers should reveal vulnerabilities to vendors before publishing them, but vendors would be required to respond within five business days, or the researcher would go public. The vendor didn?t have to fix the vulnerability within that time?it could negotiate a reasonable timeframe for doing so?but it had to at least acknowledge the bug report and respond politely during that time, or the researcher would be free to disclose the information to the public. This was in the days before bug bounty programs, when security pros were volunteering their skills for free to improve vendors? products. In exchange, researchers hoped for public acknowledgement and thanks, and a boost to their resumes. But it didn?t work out this way. Instead, the history of computer security became littered with researchers put through the ringer over what they considered to be Good Samaritan acts. This problem has partly been alleviated by the growth in bug bounty programs offered by vendors like Google and Microsoft to pay researchers for vulnerabilities they uncover in software. Such programs, for the most part, have made it much easier for researchers to report vulnerabilities, get them fixed in a timely manner, and receive fair treatment from vendors. But this isn?t always the case. Some vendors still react to researchers with mistrust and hostility, as evidenced by the recent legal altercation between two security firms after one uncovered vulnerabilities in the other?s product. And some researchers push boundaries when they conduct their research, as evidenced by the recent case involving a researcher who told the FBI he had hacked airline networks while inflight. All of which is to say that many of the original issues around disclosure that plagued the community two decades ago remain the same: Vendors sometimes still take too long to patch vulnerabilities, ignore researchers altogether, or threaten legal action. And there?s often still a lot of tension when researchers threaten to publicly disclose vulnerabilities. Rather than offer solutions to these problems, a number of people in the crowd urged attendees not to try to come up with answers yet, but to instead use this and future meetings to first listen to all sides and develop a broad understanding of researchers? and vendors? concerns. First, though, they need to agree on whether they?ll even have a second meeting. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 1 18:11:36 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 1 Oct 2015 19:11:36 -0400 Subject: [Infowarrior] - Most transparent ..... obfuscation Message-ID: <52403892-4D33-4A50-B226-783376C0257E@infowarrior.org> Court Says USTR Can Continue To Keep The Public From Seeing The Trade Agreements They'll Be Subjected To from the our-national-security-depends-on-it,-apparently dept https://www.techdirt.com/articles/20151001/08102632406/court-says-ustr-can-continue-to-keep-public-seeing-trade-agreements-theyll-be-subjected-to.shtml Towards the end of 2013, IP-Watch -- along with the Yale Media Freedom and Access Center -- filed a FOIA lawsuit against the USTR for its refusal to release its TPP draft documents. The USTR spent a year ignoring IP-Watch's William New's request before telling him the release of draft agreements would "harm national security." What trade agreements have to do with "national security" is anyone's guess (especially since the USTR has cloaked the entire TPP proceedings in opacity), but the conclusion being drawn by this refusal is that the USTR feels the public has no right to know about trade agreements that affect the public. < - > That being said, the court still won't be ordering the USTR to release draft TPP documents. The only thing it has done is order the agency to present documents explaining its withholding of certain communications under two FOIA exemptions. The bulk of the trade agreements will remain hidden away from the public -- this time with the court's blessing and thanks to the administration's advocacy on behalf of continued opacity. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 2 07:42:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 2 Oct 2015 08:42:45 -0400 Subject: [Infowarrior] - more on ... 15m T-Mobile customers affected in Eperian data breach, In-Reply-To: <1443757863.4457.YahooMailBasic@web181502.mail.ne1.yahoo.com> References: <1443757863.4457.YahooMailBasic@web181502.mail.ne1.yahoo.com> Message-ID: > On Oct 1, 2015, at 11:51 PM, matthew wrote: > >> take our customer and prospective customer privacy VERY seriously > ... >> The data stolen included names, dates of birth, addresses and Social Security numbers > > AFAIK T-mobile and the entire credit bureau industry are violating FEDERAL law by even having the SSN let alone pressuring people to disclose it. Not that one can't wreak plenty of havoc with the other data elements but if 300 million Americans would just say "I refuse to provide my SSN to any entity that is not the SSA or IRS (possibly Dept of Health which administers Medicaid)" we'd make some progress. > > I got something for the USG Information Security Czar of the day - publish an Exective Order that every agency that isn't the 2 (maybe 3) above is required within 30 days to delete every SSN in every database they have. And direct the DoJ to sue every health provider, insurance company, and credit bureau for violations of law. Gov't thuggery can be useful at times, turn them loose on these clowns. > > And furthermore amend IRS regulations (I don't think it's a Congressional law) that all banks and financial institutions will likewise strike all SSN records (system-wide, or at the very least delete all but last 4) from their accounting systems and tax-reporting mechanisms. Between name and address and last 4 the IRS can figure it out. > > Tax preparers likewise are prohibited from having the whole value if any at all. If e-file, they upload the file to the IRS sans SSN, and give the user a record identifier which the user must then use the IRS 'portal' to fill in their SSN and hit submit. > From rforno at infowarrior.org Sat Oct 3 09:56:46 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 3 Oct 2015 10:56:46 -0400 Subject: [Infowarrior] - DHS detains Stockton mayor, forces password turnover Message-ID: <103D2C1D-18A9-48DF-A708-F52E69E8AFBE@infowarrior.org> Stockton mayor was briefly detained on return flight from China By Hamed Aleaziz Updated 3:48 pm, Friday, October 2, 2015 http://www.sfgate.com/bayarea/article/Stockton-mayor-was-briefly-detained-on-return-6546419.php The mayor of Stockton was briefly detained and had two of his laptops and a cell phone confiscated by homeland security agents at the San Francisco International Airport earlier this week after returning from a trip to China. Mayor Anthony R. Silva, who was elected in November 2012, had traveled to China for a mayor?s conference, he said in a statement. Upon his return home on Monday, Silva was briefly detained by Department of Homeland Security agents and had his belongings searched, he said. ?A few minutes later, DHS agents confiscated all my electronic devices including my personal cell phone. Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property. In addition, they were persistent about requiring my passwords for all devices,? Silva said. Silva was not allowed to leave the airport until he gave his passwords to the agents, which the mayor?s personal attorney, Mark Reichel, claimed is illegal. The mayor said the agents told him confiscating property from travelers at the airport was ?in fact routine and not unusual,? and promised to return the items within a few days. Silva was also told he had ?no right for a lawyer to be present? and that being a U.S. citizen did not ?entitle me to rights that I probably thought.? He has yet to get the property returned, according to Reichel. The mayor said Reichel contacted the U.S. Attorney?s Office in Sacramento but was told that ?we can neither confirm or deny if we have the mayor?s possessions.? On Friday, Lauren Horwood, the spokeswoman for the U.S. Attorney?s office in Sacramento, said that they had no comment on the mayor?s statement and that they could not confirm the facts presented in his statement. ?Our policy is to not confirm or deny investigations,? Horwood said. James Schwab, spokesman for the U.S. Immigration and Customs Enforcement, also would not disclose why Silva was detained. ?We can't control what the mayor or his representatives say ... but that won't dictate what we do or don't release to the media,? Schwab said. ?Our priority is assuring the integrity of the investigative process and generally speaking we don't acknowledge that an investigation is underway ... unless or until charges are filed, arrests are made, or documents are publicly filed with the court that confirm a probe is taking place.? For his part, Silva said he?s ?happy to cooperate and comply with these inspection procedures if they are in fact routine and legal.? Silva, however, raised several concerns with the incident. ?I think the American people should be extremely concerned about their personal rights and privacy,? he said. ?As I was being searched at the airport, there was a Latino couple to my left, and an Asian couple to my right also being aggressively searched. I briefly had to remind myself that this was not North Korea or Nazi Germany. This is the land of the Free.? Silva went on to say that he is ?confident that any forensic search of my personal devices will never ever show illegal or inappropriate activities of any sort.? Silva said the trip to China was sponsored by China Silicon Valley, a California nonprofit corporation committed to promoting investment and business between China and the Silicon Valley. Hamed Aleaziz is a San Francisco Chronicle staff writer. E-mail: haleaziz at sfchronicle.com Twitter: @haleaziz -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Oct 3 10:11:08 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 3 Oct 2015 11:11:08 -0400 Subject: [Infowarrior] - NSA's Legal Authorities Message-ID: NSA's Legal Authorities Since the start of the Snowden-revelations, we not only learned about the various collection programs and systems of the National Security Agency (NSA), but also about the various legal authorities under which the agency collects Signals Intelligence (SIGINT). Bceause these rules are rather complex, the following overview will show which laws and regulations govern the operations of the NSA, showing what they are allowed to collect where and under which conditions. Also mentioned are various collection programs that run under these authorities. < - > http://electrospaces.blogspot.com/2015/09/nsas-legal-authorities.html -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Oct 3 11:35:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 3 Oct 2015 12:35:15 -0400 Subject: [Infowarrior] - =?utf-8?q?Lessig=3A_I=E2=80=99m_Trying_to_Run_for?= =?utf-8?q?_President=2C_but_the_Democrats_Won=E2=80=99t_Let_Me?= Message-ID: I?m Trying to Run for President, but the Democrats Won?t Let Me By Lawrence Lessig October 01, 2015 http://www.politico.com/magazine/story/2015/10/lessig-lawrence-democrats-debate-2016-213215 I?m running for President. Or trying. After raising $1 million in less than 30 days, I entered the primary on September 9 as the Democrat?s only non-politician. My platform is simple: end the corrupting influence of money in Washington, so we might finally have, as Buddy Roemer would put it, a Congress free to lead. But that message is being stifled with the tacit approval of the Democratic Party leadership, who are deploying the oldest method available for marginalizing campaigns they don?t like: keeping me out of the Democratic presidential debates. Here?s how you make the debates: After one declares, a candidate is formally welcomed into the race by the Democratic National Committee. Polling firms, taking a cue from the DNC, include that candidate on their questionnaires. Candidates that poll at 1 percent nationally in at least three separate polls earn an invitation. Simple enough. That?s how the process typically works for other candidacies?but not for mine. The DNC still has not formally welcomed me into the race?despite my raising money at a faster pace than more than half the pack, and being in the race nearly a full month. Polls, in turn, have taken the hint, only including me sporadically on questionnaires: of the last 10 major polls, only three mentioned my candidacy. One poll recently put me at 1 percent (for comparison, candidates O?Malley, Webb and Chafee, who will each get a podium at the debates, are all currently polling at 0.7 percent or less, according to Real Clear Politcs). Were I actually included on every poll, I would easily make the debates. The Democratic Party could fix this by welcoming me into the race. Yet when I tried to talk about this with the chair of the Democratic Party, Debbie Wasserman Schultz, she scheduled a call, but then cancelled it. So far she hasn?t had the time to schedule another. I?ve had similar experiences at the state level, where the same game is played: The chair of the New Hampshire Democrats invited me to speak at their convention. I was given 5 minutes. Hillary Clinton took an hour. These signals from the party affect the media, too. While news shows have been busy limning the depths of Donald Trump?s brain, there hasn?t been time to consider a Democratic candidate saying something that no other Democrat is saying?especially if the party itself doesn?t consider the candidate a real candidate. And while the Atlantic listed me as a candidate on their website from day one, it took some lobbying to get the New York Times to do the same. Neither fish nor fowl, and not insanely rich, no one quite knows where to place a candidate like me. This experience has led me to believe it?s not just the rules that discourage an outsider Democrat. It?s also the party. And that resistance may tie quite directly to the message of my campaign?one that no politician so far has had the courage to say. Like Clinton and Sanders and O?Malley, I believe America needs urgent and important reform: it needs a minimum wage that is a living wage, it needs climate change legislation, it needs to respect the equality of citizens and end?finally?the second class status that too many Americans know. It needs a health care system that Americans can afford. It needs to stop subsidizing oil companies, and stop tolerating their pollution. It needs the courage to stand up to the banks, it needs to restore safety to the financial system, it needs an immigration policy that promises some of the hardest working Americans that they can become citizens and it needs sane gun laws that keep machine guns away from the sorts who would massacre school children. But unlike Clinton and Sanders and O?Malley, I?m willing to tell America the truth about these urgent and important needs. That truth is this: The policies that these politicians are pushing are fantasies. Not because, as the Wall Street Journal might argue, we can?t afford them. Of course we can afford them. If we can afford a trillion dollar war that has only made America less safe, we can afford a real social security system, or a health care system that doesn?t sell out to pharmaceutical companies. The reason these policies are fantasies is because of the corruption that we have allowed to evolve inside Washington, D.C. One NASA scientist, Jim Hansen, has written that the biggest obstacle to climate change legislation is money in politics. That?s certainly true, but it?s not just true about climate change. Every important issue that Washington faces is affected by this corruption. And what America needs right now is candidates willing to explain this truth, to describe a plan to fix it, and to commit to fixing it not someday, but on Day One. A ?democracy? in which 400 families give 50 percent of the money in campaigns is not American democracy. It is a banana republic democracy. A ?democracy? in which candidates for Congress spend 30 percent to 70 percent of their time raising money from the tiniest fraction of the 1 percent is not a democracy that could be responsive to the people. It is a democracy that will be responsive to those funders only. What America needs right now is to recognize?all of America, not just the Democrats?that until we fix this democracy, none of the urgent and important policies pushed by these politicians is possible. They promise the moon. We need to promise the truth: that the rocket has no fuel to carry us to the moon, and it won?t get any, not until we find a way to restore a representative democracy. That truth doesn?t play well in D.C. The consultants think it?s a downer. They fear downers don?t win votes. But that truth need not depress anyone. The reforms that would fix this system are possible, and constitutional. And as poll after poll has demonstrated, such reforms would be supported strongly by voters in both parties. If these reforms were adopted, America could solve the real problems that are holding us back. Democrats need to take the lead in pressing for this reform?real reform, not the pretense that transparency would fix everything, or the fantasy (as things stand now) of an amendment to the Constitution, or the suggestion that this corruption was created by the Supreme Court. Not reform as just one policy among fifteen, but as the first priority. That will make the party?s other priorities actually credible. If we did that, we could rally to our side the many Independents and Republicans who also believe this system is a corruption, and that this corruption must end. Fixing this democracy would be easier than creating the Game of Thrones or Uber or the iPhone or Hamilton on Broadway. It?s the sort of thing Americans should be able to do well?if only we had leaders willing to rally America to what must be done now. In 2008, Barack Obama said this to a Philadelphia audience: If we don?t take up the fight [to change the way Washington works], then real change?change that would make a lasting difference in the lives of ordinary Americans?will keep getting blocked by the defenders of the status quo. Obama was right in 2008. That he didn?t take up that fight then is one of the great missed opportunities of American political history. We Democrats should take it up now. But that will only happen if there is someone on that debate stage willing to say what most of America is already thinking: Yes, the policies the Democrats are pushing are the future of America. But we won?t get any of them until we fix this democracy first. And we won?t fix this democracy until there is someone who is willing to rally America to that truth. No Democrat is doing that right now. Someone should. I am trying. So why are the insiders trying to keep me silent? Lawrence Lessig is a Democratic candidate for president, and Roy L. Furman professor of law and leadership at Harvard Law School. Read more: http://www.politico.com/magazine/story/2015/10/lessig-lawrence-democrats-debate-2016-213215#ixzz3nWVqSZTq -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 5 08:30:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Oct 2015 09:30:14 -0400 Subject: [Infowarrior] - (In near-total secrecy) Trans-Pacific Partnership Trade Deal Is Reached Message-ID: <5DAAB165-69FC-493C-B8F2-B0F11623AB9E@infowarrior.org> Trans-Pacific Partnership Trade Deal Is Reached Jackie Calmes http://www.nytimes.com/2015/10/06/business/trans-pacific-partnership-trade-deal-is-reached.html ATLANTA ? The United States and 11 other Pacific Rim nations on Monday agreed to the largest regional trade accord in history, a potentially precedent-setting model for global commerce and worker standards that would tie together 40 percent of the world?s economy, from Canada and Chile to Japan and Australia. The Trans-Pacific Partnership still faces months of debate in Congress and will inject a new flash point into both parties? presidential contests. But the accord ? a product of nearly eight years of negotiations, including five days of round-the-clock sessions here ? is a potentially legacy-making achievement for President Obama, and the capstone for his foreign policy ?pivot? toward closer relations with fast-growing eastern Asia, after years of American preoccupation with the Middle East and North Africa. Mr. Obama spent recent days contacting world leaders to seal the deal. Administration officials have repeatedly pressed their contention that the partnership would build a bulwark against China?s economic influence, and allow the United States and its allies ? not Beijing ? to set the standards for Pacific commerce. The Pacific accord would phase out thousands of import tariffs as well as other barriers to international trade. It also would establish uniform rules on corporations? intellectual property, open the Internet even in communist Vietnam and crack down on wildlife trafficking and environmental abuses. Several potentially deal-breaking disputes kept the ministers talking through the weekend and forced them repeatedly to reschedule the promised Sunday announcement of the deal into the evening and beyond. Final compromises covered commercial protections for drug makers? advanced medicines, more open markets for dairy products and sugar, and a slow phaseout ? over two to three decades ? of the tariffs on Japan?s autos sold in North America. Yet the trade agreement almost certainly will encounter stiff opposition. Its full 30-chapter text will not be available for perhaps a month, but labor unions, environmentalists and liberal activists are poised to argue that the agreement favors big business over workers and environmental protection. Donald Trump has repeatedly castigated the Pacific trade accord as ?a bad deal,? injecting conservative populism into the debate and emboldening some congressional Republicans who fear for local interests like sugar and rice, and many conservatives who oppose Mr. Obama at every turn. Long before an accord was reached, it was being condemned by both Mr. Trump, the Republican presidential front-runner, and Senator Bernie Sanders of Vermont, who is challenging Hillary Rodham Clinton for the Democrats? nomination. Other candidates also have been critical. Mrs. Clinton, who as secretary of state promoted the trade talks, has expressed enough wariness as she has campaigned among unions and other audiences on the left that her support is now in doubt. Still, in Congress the outcome for ratifying the agreement ?will be affected by what?s in it, and that?s the way it should be,? said Representative Sander Levin of Michigan, in an interview here before the deal came together. He was the one lawmaker to come to Atlanta to monitor final talks. Mr. Levin, the ranking Democrat on the House Ways and Means Committee, which has jurisdiction for trade, has supported some trade pacts but was skeptical of this one. He is concerned about unfair competition from Japan for his state?s automakers and union workers. In particular, Mr. Levin objected that language addressing Japan?s devaluation of its currency, which reduces the cost of its auto exports, would not be in the trade agreement but rather in a side agreement that would be hard to enforce against currency scofflaws. The Office of the United States Trade Representative said the partnership eventually would end more than 18,000 tariffs that the participating countries have placed on United States exports, including autos, machinery, information technology and consumer goods, chemicals and agricultural products ranging from avocados in California to wheat, pork and beef from the Plains states. Japan?s other barriers, like regulations and design criteria that effectively keep out American-made cars and light trucks, would come down. While many opponents object that the trade pact will kill jobs or send them overseas, the administration contends that the United States has more to gain from freer trade with the Pacific nations. Eighty percent of those nations? exports to the United States are already duty-free, officials say, while American products face assorted barriers in those countries that would end. Also, the administration contends that increased United States sales abroad would create jobs in export industries, which generally pay more than jobs in domestic-only businesses. The parties to the accord also include New Zealand, Mexico, Peru, Malaysia, Singapore and Brunei. The accord for the first time would require state-owned businesses like those in Vietnam and Malaysia to comply with commercial trade rules and labor and environmental standards. Michael B. Froman, the United States trade representative, called the labor and environmental rules the strongest ever in a trade agreement and a model for future pacts, although some environmental groups and most unions remained implacably opposed. The worker standards commit all parties to the International Labor Organization?s principles for collective bargaining, a minimum wage and safe workplaces, and against child labor, forced labor and excessive hours. Unions and human rights groups have been skeptical at best that Vietnam, Malaysia and Brunei will improve labor conditions, or that Malaysia will stop human trafficking of poor workers from Myanmar and Southeast Asia. The United States reached separate agreements with the three nations on enforcing labor standards, which would allow American tariffs to be restored if a nation is found in violation after a dispute-settlement process. On the environment, the accord has provisions against wildlife trafficking, illegal or unsustainable logging and fishing, and protections for a range of marine species and animals including elephants and rhinoceroses. For the first time in a trade agreement there are provisions to help small businesses without the resources of big corporations to deal with trade barriers and red tape. A committee would be created to assist smaller companies. The agreement also would overhaul special tribunals that handle trade disputes between businesses and participating nations. The changes, which also are expected to set a precedent for future trade pacts, respond to widespread criticisms that the Investor-State Dispute Settlement panels favor businesses and interfere with nations? efforts to pass rules safeguarding public health and safety. Among new provisions, a code of conduct would govern lawyers selected for arbitration panels. And tobacco companies would be excluded, to end the practice of using the panels to sue countries that pass antismoking laws. On Sunday, Matthew Myers, president of the Campaign for Tobacco-Free Kids, hailed the provision as ?historic.? In a concession likely to be problematic with leading Republicans, the United States agreed that brand-name pharmaceutical companies would have a period shorter than the current 12 years to keep secret their data on producing so-called biologics, which are advanced medicines made from living organisms. Senator Orrin G. Hatch of Utah, chairman of the Senate Finance Committee, which has jurisdiction over trade, has threatened to withdraw his support for the accord if United States negotiators agree to loosening pharmaceutical industry protections against American law. But arrayed against the United States, which said the protection was a necessary incentive for drug makers to innovate, were virtually every other country at the table, led by Australia. The generic drug industry and nonprofit health groups also strenuously opposed the United States? position, pressing for access to the data within five years to speed lower priced ?biosimilars? to market. The compromise is a hybrid that protects companies? data for five years to eight years. Only once that intellectual property issue was settled did several nations, including Canada, New Zealand and the United States, turn to the arcane details of further opening their dairy markets. Months of final drafting, analyses and debate lie ahead. Mr. Obama cannot sign the accord until Congress has its 90 days to review the pact?s details. The difficulty the president confronts was foreshadowed earlier this year by his narrow victory in winning ?fast track? trade promotion authority from Congress. That authority guarantees that trade pacts will get expedited consideration in Congress ? a yes-or-no vote without amendments or filibusters. Passage of fast-track power eased Mr. Obama?s ability to conclude the Pacific accord as well as to continue negotiating a separate, more difficult trade pact with Europe. Other nations might balk at making a trade deal with the United States, the argument goes, if the terms could be effectively rewritten in Congress. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 5 08:30:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Oct 2015 09:30:24 -0400 Subject: [Infowarrior] - Fear of lawsuits chills car hack research Message-ID: <91C591CE-6E9B-4C49-8633-7F9C34E2FB5C@infowarrior.org> Fear of lawsuits chills car hack research By Katie Bo Williams - 10/03/15 02:37 PM EDT http://thehill.com/policy/cybersecurity/255832-fear-of-lawsuits-chills-car-hack-research Regulatory agencies are trying to use copyright law to crack down on dangerous tampering with automobile computers, sparking fears that they will stymie needed cybersecurity research. As Internet-connected cars proliferate on the roads, so too do the opportunities for hackers to uncover and possibly exploit software security flaws ? for good and bad. Concerns about who should and shouldn?t have access to vehicle software came to a head this summer when ?white hat hackers? exploited a vulnerability and took control of a Jeep's steering, brakes and transmission. The hackers demoed the stunt live on the highway, sparking concerns about how researchers go about disclosing vulnerabilities to manufacturers and the public. Critics ? including car manufacturers ? suggest that researchers who go public with their findings both recklessly expose vulnerabilities to the bad guys and give manufacturers no time to resolve concerns. Others say silencing researchers has dangerous implications for both public safety and national security. ?The enemy of security is not a security researcher who wants to report a bug,? said Katie Moussouris, Chief Policy Officer at vulnerability management firm Hacker One. ?The enemy of security is nondisclosure of the vulnerabilities, because then there?s nothing you can do about them.? In the case of the Jeep hack, the researchers worked with parent company Chrysler for nine months leading up to their stunt on the highway. The manufacturer quietly released a patch during that time, but criticized the hackers for publicizing their work. ?Under no circumstances does [Fiat Chrysler of America] condone or believe it?s appropriate to disclose ?how-to information? that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,? the company said in a statement. ?We appreciate the contributions of cybersecurity advocates to augment the industry?s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.? Last month, the Department of Transportation joined a chorus of agencies petitioning the U.S. Copyright Office to stop researchers from circumventing protected technology. ?The Department is concerned that there may be circumstances in which security researchers may not fully appreciate the potential safety ramifications of their security circumvention acts and may not fully understand the logistical and practical limitations associated with potential remedial actions that may become necessary,? DOT wrote in a letter to the Copyright Office. Critics characterize the letter as a knee-jerk reaction to the Jeep hack. The Copyright Office is mulling an exemption to a provision of the so-called Digital Millennium Copyright Act (DCMA) that prohibits anyone from circumventing a technological measure that controls access to copyrighted work ? like vehicle software. The law already includes one exemption for good-faith hackers: They can proceed with research if they have permission from the vendor, but that?s not necessarily a given. Researchers say some manufacturers still view security vulnerabilities as a public relations risk, rather than an inevitability. Some companies have taken a proactive approach to white-hat hackers, offering hefty ?bug bounties? to researchers that uncover and resolve security flaws. Tesla pays rewards ranging from $25 to $10,000 for disclosures, with a couple of caveats. The manufacturer asks that hackers give it ?a reasonable time to correct the issue before making any information public.? The DOT acknowledges that good-faith research ?presents the potential benefit of promoting collaboration in identifying security vulnerabilities.? The department says its concerns could be addressed by placing limitations on public disclosures of security vulnerabilities, rather than banning any research outright. One possible resolution, according to the DOT, is for researchers to be protected under the copyright law if they disclose their findings only to regulators or potentially affected parties. Critics say this approach silos security analysts, effectively cutting them off from the community collaboration that is a part of academic research, while doing nothing to stop hackers who operate outside of the law from sharing their findings. ?The issue with any prohibition on security research is that you?re only stopping good researchers that follow the law in one country,? said Kevin Mahaffey, chief technology officer of the mobile security company Lookout. ?That?s a very small subset of security researchers in the world.? The DOT?s proposal would also rely on manufacturers to be quick responders to threat disclosures, something not all researchers trust them to be. ?There have been instances where a researcher had in fact told a manufacturer and the manufacturer had not addressed the vulnerability,? Erik Stallman, general counsel at the Center for Democracy and Technology, told The Hill. Automakers say they are vigilant about security concerns. The Alliance of Automobile Manufacturers, the major industry group, recently announced it had created a hub that would allow companies to swap data on cyber threats. Eventually, the group says, telecommunications and technology companies will hopefully participate in the hub. The hacking debate comes as the auto industry is struggling to reestablish trust in the wake of damning revelations about Volkswagen?s proprietary software. Last month, the EPA accused the German automaker of including software in some diesel vehicles that gamed emissions requirements, making it look as if the cars were complying with federal standards when in fact they were not. The DOT also suggests that any copyright law exemption for security researchers should require that they give vendors enough time to respond before they go public with their findings. But security experts say rather than limiting disclosures, the better approach would be to create a better system for reporting. Across the security industry, there is an accepted standard for disclosures to manufacturers, but it?s far from codified and still leaves researchers uncertain as to whether reporting their work will open them up to litigation. Fear of legal action, experts say, can chill needed research while more malicious hackers continue hunting for software holes unfettered. ?There are statutory exemptions for security testing but their exact limits are unclear,? Stallman said. ?What?s getting in the way of needed cybersecurity research is uncertainty about what is and is not permissible. That?s a big problem for researchers, people who fund the research and the institutions that employ them.? -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 5 10:47:57 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Oct 2015 11:47:57 -0400 Subject: [Infowarrior] - New implant can reverse Alzheimer's damage Message-ID: Memory loss breakthrough: New implant can reverse Alzheimer's damage Anil Dawar http://www.express.co.uk/news/uk/609875/new-implant-reverse-Alzheimers-memory-loss-high-tech-device-treatment Scientists have developed an electronic implant to help brains damaged by Alzheimer?s retain memories. They hope it will be used to take over certain areas of diseased brains to help ?translate? a short-term memory into a permanent one. The implant has been developed at the University of Southern California and Wake Forest Baptist Medical Centre over a decade. The project is funded by the US military as a way of helping injured soldiers overcome memory loss. But researchers say the astonishing technology could also help to treat brain diseases such as Alzheimer?s. Project head Ted Berger said the device is already being tried out on humans. Speaking at the IEEE Engineering in Medicine and Biology Society conference in Milan, he said: ?It?s like being able to translate from Spanish to French without being able to understand either language.? News of the research prompted excitement among campaigners. Dr Clare Walton, of the Alzheimer?s Society, said: ?A prosthetic memory device is a very exciting prospect, but it has taken decades of research to get this far and there are still many unknowns that need to be worked out by the scientists. ?It?s encouraging to see these cutting edge technologies being applied to help people affected by memory loss, but this isn?t something that people with dementia can expect to be readily available in the next decade. ?If this device is developed further and successfully tested in humans, it could prove to be an effective treatment for some of the symptoms of dementia. However, it will not cure or slow down the progression of the condition.? Alzheimer?s causes the brain to degenerate and the damage interferes with the formation of new long-term memories while old ones survive. The new US technology has already been tested on nine people with epilepsy who had electrodes implanted in their brains to treat chronic seizures. Researchers read the electrical signals created in the patients? brains as they conducted simple tasks. The results were then used to create a computer program which could predict with 90 per cent accuracy how the signals would be translated. Being able to predict brain signals will allow the scientists to design a device which can support or replace the functions of a damaged section. The next step will be to send the translated signal back into the brain of a patient with damage to their hippocampus ? the memory centre ? in the hope that this will bypass the trouble spot and form accurate long-term memories. It is the first time scientists anywhere in the world have used computers to manipulate memory signals directly in the human brain. Researchers have previously implanted devices so paralysed people can move false arms and their own limbs. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 5 16:45:09 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Oct 2015 17:45:09 -0400 Subject: [Infowarrior] - Edward Snowden interview on BBC Message-ID: <1952BBF9-AEAE-4ACD-A8CB-B851D2EBED56@infowarrior.org> Edward Snowden interview: 'Smartphones can be taken over' By Peter Taylor BBC News ? 5 hours ago ? From the section UK Smartphone users can do "very little" to stop security services getting "total control" over their devices, US whistleblower Edward Snowden has said. The former intelligence contractor told the BBC's Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners' knowledge. Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in. The UK government declined to comment. < - > http://www.bbc.com/news/uk-34444233 Watch Peter Taylor's film: Edward Snowden, Spies and the Law on Panorama on BBC One on Monday, 5 October at 20:30 BST or catch up later online. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 5 17:16:20 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 5 Oct 2015 18:16:20 -0400 Subject: [Infowarrior] - Patent Owner Insists 'Integers' Do Not Include The Number One Message-ID: Patent Owner Insists 'Integers' Do Not Include The Number One https://www.techdirt.com/articles/20150930/16145432396/patent-owner-insists-integers-do-not-include-number-one.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 6 06:39:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Oct 2015 07:39:56 -0400 Subject: [Infowarrior] - $460M CYBERCOM Contract Will Create Digital Munitions Message-ID: <165876BF-3ABB-4103-9C59-873857F4C58C@infowarrior.org> $460M CYBERCOM Contract Will Create Digital Munitions October 5, 2015 http://www.defenseone.com/technology/2015/10/460m-cybercom-contract-will-create-digital-munitions/122556/ The first job under a forthcoming $460 million U.S. Cyber Command contract to outsource all mission support involves, among other activities, a lot of digital munitions-making. Aliya Sternstein reports on cybersecurity and homeland security systems. She?s covered technology for more than a decade at such publications as National Journal's Technology Daily, Federal Computer Week and Forbes. Before joining Government Executive, Sternstein covered agriculture and derivatives ... Full Bio An 84-page draft task order released Sept. 30 runs the gamut of hacking and counterhacking work, plus traditional IT support activities. The proposed solicitation was accompanied by a 114-page draft of the full 5-year contract. In May, CYBERCOM officials cancelled a similar $475 million project announced earlier that month. At the time, officials explained a reorganized request for bids with more details would be out in the fall. The initial work order will support ?cyber joint munitions effectiveness? ? by developing and deploying ? ?cyber weapons? and coordinating with ?tool developers? in the spy community, the documents state. In addition, the prospective vendor will plan and execute joint ?cyber fires.? CYBERCOM is in the midst of recruiting 6,200 cyberwarriors for teams positioned around the world. The command?s duty is to thwart foreign hackers targeting the United States, aid U.S. combat troops overseas and protect the dot-mil network. In the past, some military academics have voiced concerns about the unintended outcomes of such maneuvers. Malicious code released into networks could backfire and harm U.S. individuals or allies, they warned. ?Due to the ?system of systems? nature? of cyberspace, it is very difficult to know exactly what effect? defensive or offensive actions will have on U.S. and ally assets ?since we can?t be sure exactly how far out the cyber action might spread,? Dee Andrews and Kamal Jabbour wrote in a 2011 article for Air Force Space Command?s Journal for Space & Missile Professionals. ?The difficulty in doing a damage estimate before cyber action is taken makes cyber friendly fire difficult to identify and mitigate.? There are dozens of bullet points on training support work in the contracting documents. For example, the hired contractor will run exercises on ?USCYBERCOM Fires processes? with the Joint Advanced Cyber Warfare Course, the Army Cyberspace Operations Course, the Air Force Weapons School, the Joint Targeting School and other outside groups, the documents state. Certain contract personnel supporting these so-called cyber fires will be subjected to additional background reviews and will have to comply with ?need-to-know? classification rules, according to officials. Beyond unleashing malware, the chosen contract employees will help repel attacks on Defense Department smartphones housing sensitive data, according to the government. This assignment involves analyzing forensics reports on hacked mobile devices and conducting security assessments of mobile apps, among other things. There also is some cyber espionage work entailed. The selected contractor will aid the ?fusion,? or correlation of clues, from ?reliable sources,? network sensors, network scans, open source information, and ?situational awareness of known adversary activities,? the documents state The professionals hired will probe lurking, well-resourced threats inside military networks and identify ?signatures? of the hacker footprints discovered, they add. The signatures, such as IP addresses and strings of code, will be used to determine if there is malicious activity elsewhere inside Pentagon and defense industry networks, according to officials. Another CYBERCOM duty will be proposing procedures for facilitating ?all-source intelligence analysis of the foreign threat picture? ? information collected from spies, data surveillance, public information and other inputs. A final comprehensive solicitation and task order are scheduled to be released later this month. The government is accepting questions about the drafts from companies until Oct. 7. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 6 06:49:12 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Oct 2015 07:49:12 -0400 Subject: [Infowarrior] - EU court's bombshell privacy ruling Message-ID: Facebook row: US data storage leaves users open to surveillance, court rules EU court ruling that privacy is being compromised could force many digital companies to relocate operations The ECJ issued its opinion after campaigner Maximilian Schrems challenged Facebook over the transfer of his data to US intelligence agencies. Owen Bowcott Legal affairs correspondent @owenbowcott Tuesday 6 October 2015 07.39 EDT Last modified on Tuesday 6 October 2015 07.43 EDT http://www.theguardian.com/world/2015/oct/06/us-digital-data-storage-systems-enable-state-interference-eu-court-rules US data storage systems operated by Facebook and other digital operators do not provide customers with protection from state surveillance, the European court of justice has ruled. The declaration by the EU court in Luxembourg that privacy is being compromised will have far-reaching consequences for the online industry and could force many companies to relocate their operations. Declaring the American so-called safe harbour scheme ?invalid?, the ECJ, whose findings are binding on all EU members states, ruled that: ?The United States ... scheme thus enables interference, by United States public authorities, with the fundamental rights of persons...? Safe harbour is an agreement between the European commission and the US that provides guidance for US firms on how protect for the personal data of EU citizens as required by the European Union?s directive on data protection. There are negotiations going on to upgrade the framework and provide better privacy for online users. The ruling, confirming an opinion by the court?s advocate-general last month, is a victory for the Austrian campaigner Maximilian Schrems, who initially brought a claim against Facebook in Ireland in the wake of Edward Snowden?s revelations about the activities of the US National Security Agency (NSA). The ECJ ruling said: ?The safe harbour decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. ?... This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems? complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook?s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.? Responding to the judgment, the Liberal Democrat MEP Catherine Bearder commented: ?This is a historic victory against indiscriminate snooping by intelligence agencies, both at home and abroad. In a globalised world, only a strong and binding international framework will ensure our citizens? personal data is secure.? Monika Kushewsky, a data privacy lawyer team with the firm Covington, said: ?This judgment is a bombshell. The EU?s highest court has pulled the rug under the feet of thousands of companies that have been relying on safe harbour. All these companies are now forced to find an alternative mechanism for their data transfers to the US. And, this, basically overnight, as the court has declared the commission decision on safe harbour invalid without providing for any transitional period.? Mike Weston, CEO of the data science consultancy Profusion, said: ?American companies are going to have to restructure how they manage, store and use data in Europe and this take a lot of time and money. The biggest casualties will not be companies like Google and Facebook because they already have significant data centre infrastructure in countries like the Republic of Ireland, it will be medium-sized, data-heavy tech companies that don?t have the resources to react to this decision.? Mark Thompson, privacy practice leader at KPMG, said: ?Europe [is] taking a strong stance in ensuring that European citizens are provided the same level of protection no matter where the processing of their personal information takes place. ?At the foundation of this is the need for global organisations to take privacy seriously, creating an environment which respects the rights of the individuals whose personal information they process regardless of the mechanism used to legitimise the transfer.? The home affairs spokesman for the Greens in the European parliament, Jan Philipp Albrecht, said: ?Safe harbour enabled masses of Europeans? personal data to be transferred by companies like Facebook to the United States over the past 15 years. With today?s verdict it is clear that these transfers were in breach of the fundamental right to data protection. It is now up to the commission and the Irish data protection commissioner to immediately move to prevent any further data transfers to the US in the framework of safe harbour. ?It is now high time to pass a strong and enforceable framework for the protection of personal data in the course of the EU data protection reform and make clear to the United States that it has to deliver adequate legally binding protection in the private sector as well as to introduce juridical redress for EU citizens with regards to their privacy rights in all sectors including national security.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 6 06:50:26 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 6 Oct 2015 07:50:26 -0400 Subject: [Infowarrior] - What is 'safe harbour' and why did the EUCJ just declare it invalid? Message-ID: <5E4334AD-38EF-4B8C-A5F3-2960737BBB36@infowarrior.org> What is 'safe harbour' and why did the EUCJ just declare it invalid? EUCJ ruling could affect the way US companies operate in Europe and where they can send EU citizens? Samuel Gibbs @SamuelGibbs Tuesday 6 October 2015 07.09 EDT http://www.theguardian.com/technology/2015/oct/06/safe-harbour-european-court-declare-invalid-data-protection -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 7 06:45:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Oct 2015 07:45:25 -0400 Subject: [Infowarrior] - =?utf-8?q?Verizon=E2=80=99s_Zombie_Cookie_Gets_Ne?= =?utf-8?q?w_Life?= Message-ID: <4BEF799D-A9E8-4292-8F4A-76E07DFB0432@infowarrior.org> Verizon?s Zombie Cookie Gets New Life Verizon is merging its cellphone tracking supercookie with AOL?s ad tracking network to match users? online habits with their offline details. by Julia Angwin and Jeff Larson ProPublica, Oct. 6, 2015, 1:15 p.m. Verizon is giving a new mission to its controversial hidden identifier that tracks users of mobile devices. Verizon said in a little-noticed announcement that it will soon begin sharing the profiles with AOL?s ad network, which in turn monitors users across a large swath of the Internet. That means AOL?s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including ? ?your gender, age range and interests.? AOL?s network is on 40 percent of websites, including on ProPublica. AOL will also be able to use data from Verizon?s identifier to track the apps that mobile users open, what sites they visit, and for how long. Verizon purchased AOL earlier this year. < - > Verizon users are still automatically opted into the program. < - > https://www.propublica.org/article/verizons-zombie-cookie-gets-new-life -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 7 17:01:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Oct 2015 18:01:50 -0400 Subject: [Infowarrior] - Polls likely tell Hillary to oppose TPP, so she does Message-ID: <3359E1CD-7A26-4C71-AF01-0F182BB17EB2@infowarrior.org> In what seems like a nervous populist move amid Bernie Sanders' gains, Hillary Clinton has flip-flopped rather stunningly to oppose President Obama's Trans-Pacific Partnership. Despite supporting the bill at least 45 times, as CNN's Jake Tapper points out, Clinton told PBS' Judy Woodruff Wednesday in Iowa that, "As of today, I am not in favor of what I have learned about it." It's also a departure from the Clinton legacy, as CNN notes, it was President Bill Clinton who, two decades ago, signed the first mega-regional pact: the North American Free Trade Agreement. < - > http://www.zerohedge.com/news/2015-10-07/hillary-flip-flops-tpp-shuns-obamas-trade-plan-after-publicly-supporting-it-45-times -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 7 17:06:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Oct 2015 18:06:31 -0400 Subject: [Infowarrior] - TPP Also Locks In Broken Anti-Circumvention Rules That Destroy Your Freedoms Message-ID: TPP Also Locks In Broken Anti-Circumvention Rules That Destroy Your Freedoms from the sad-to-see dept https://www.techdirt.com/articles/20151006/17213732458/tpp-also-locks-broken-anti-circumvention-rules-that-destroy-your-freedoms.shtml We already wrote about how New Zealand has released some of the details about the finalized TPP agreement before the official text is released. The one we discussed is forcing participants into a "life plus 70 years" copyright term, even as the US had been exploring going back towards a life plus 50 regime like much of the rest of the world. That won't be possible any more. Another issue revealed in the New Zealand announcement is that the TPP will similarly lock in an anti-circumvention clause. In the US, we have a really problematic anti-circumvention law in Section 1201 of the DMCA, which says it's against the law to circumvent "technological protection measures" even if for reasons that are perfectly legal and non-infringing. This has created a huge mess that threatens innovation in all sorts of problematic ways. It takes away our freedom to tinker with devices that we own. It also makes it illegal to do things that pretty much everyone agrees should be perfectly legal. Earlier this year, some in Congress introduced a bill to fix Section 1201. However, that may not be possible after the TPP is agreed to. Again, the details matter, but here's what New Zealand has to say about this issue: New Zealand has, however, agreed to extend its existing laws on technological protection measures (TPMs), which control access to digital content like music, TV programmes, films and software. Circumventing TPMs will be prohibited but exceptions will apply to ensure that people can still circumvent them where there is no copyright issue (for example, playing region-coded DVDs purchased from overseas) or where there is an existing copyright exception (for example, converting a book to braille). So, yes, it appears there will be certain exceptions allowed, but again that gets the equation entirely backwards. At best, circumvention should be considered legal as the default, and the problem should only come in if the circumvention was done for the purpose of actual infringement. Starting from the position of "no circumvention" and then backdooring in "exceptions" massively hinders innovation by requiring permission before certain innovations are allowed. Given how important this kind of innovation has been for the tech sector, it's disappointing in the extreme that the USTR has decided to lock this in and block all kinds of important innovations from moving forward. Once again, the USTR seems focused on protecting legacy industries while hamstringing innovative industries. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 7 17:07:28 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Oct 2015 18:07:28 -0400 Subject: [Infowarrior] - Former NSA Chief: I 'Would Not Support' Encryption Backdoors Message-ID: Former NSA Chief: I 'Would Not Support' Encryption Backdoors Written by Lorenzo Franceschi-Bicchierai Staff Writer October 6, 2015 // 02:38 PM EST http://motherboard.vice.com/read/former-nsa-chief-strongly-disagrees-with-current-nsa-chief-on-encryption Michael Hayden, the former head of the CIA and the NSA, thinks the US government should stop railing against encryption and should support strong crypto rather than asking for backdoors. The US is ?better served by stronger encryption, rather than baking in weaker encryption,? he said during a panel on Tuesday. Hayden said that the US government developed certain habits that led it to favor offense rather than defense in cyberspace, but that nowadays, the world has changed, and there?s a need for a change in attitude, referring to the 1990s debate over the Clipper Chip, a telephone surveillance backdoor that the US government tried to impose on telephone companies. The US is ?better served by stronger encryption, rather than baking in weaker encryption.? ?American security might be best secured by toeing more in the direction of giving up the offensive advantage, in order to more secure American communications,? Hayden said during a panel on cybersecurity at the Council on Foreign Relations in Manhattan. This is surprising because current leadership in the Department of Defense and at the FBI has strongly advocated the opposite position. In July, Hayden already hinted that he didn?t support the FBI?s push for backdoors, but he came strongly against it on Tuesday. When I asked Hayden about his position on the current encryption debate in an interview following the event, the former top spy told me that he ?would not support [FBI] Director [James] Comey?s demands for access.? ?I would not support [FBI] Director [James] Comey?s demands for access.? The debate, which some have billed as the new Crypto War, has been brewing in Washington, DC for more than a year, after the FBI warned that Apple?s new plan to lock iPhone?s by default could lead to ?a very dark place.? Hayden also specifically added that he ?would not? ask for a backdoor. Hayden?s clear and direct dismissal of the FBI?s demands puts him at odds even with the current NSA director, Adm. Mike Rogers, who has publicly said he shared Comey?s concerns, and that there needs to be ?legal framework? for the US government to access data held or exchanged using online services or devices created by US tech companies. Hayden said that losing the first Crypto War on the Clipper Chip did not stop the US government from obtaining the information it needed. ?In retrospect, we mastered the problem we created by the lack of the Clipper Chip,? he said. ?We were able to do a whole bunch of other things. Some of the other things were metadata, and bulk collection and so on.? -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 7 20:47:22 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 7 Oct 2015 21:47:22 -0400 Subject: [Infowarrior] - Lawmakers demand DHS reveal cyber reorganization plans Message-ID: Lawmakers demand DHS reveal cyber reorganization plans By Katie Bo Williams - 10/07/15 11:24 AM EDT http://thehill.com/policy/cybersecurity/256198-lawmakers-demand-dhs-reveal-cyber-reorganization-plans House Homeland Security Committee members are demanding the Department of Homeland Security (DHS) be more transparent with proposed reorganization efforts that involve several cybersecurity offices. During a Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee hearing on Wednesday, Chairman John Ratcliffe (R-Texas) criticized the agency for pushing forward with a leaked reorganization proposal without involving lawmakers. ?Several members of the committee and I were very disappointed to find out about this proposal through leaked reports in the media,? Ratcliffe said. ?The committee only received a briefing after these reports in the press, and unfortunately, only minimal details of the reorganization effort after several requests have been provided in the time since. ?Even more disappointing, the committee has heard that DHS leadership had planned to move forward unilaterally on several efforts without Congressional review or approval,? Ratcliffe added. Members from both sides of the aisle echoed Ratcliffe?s criticism. ?I?m really disappointed that we had to get here the way that we got here,? Rep. Cedric Richmond (D-La.) said. ?I think it?s due to a lack of communication. What I hope it?s not is dismissing our role and our authority and responsibility to make sure the people of this country are protected.? The DHS has reportedly been working on restructuring the National Protection and Programs Directorate (NPPD), which includes an important cyber hub, as well as an office that helps secure the government?s networks. NPPD Under Secretary Suzanne Spaulding insisted that the department?s plans were leaked to the media ?prematurely? and that the agency has tried to ensure that Congress has been informed at appropriate junctures throughout the process. Lawmakers pressed Spaulding to commit to involving the lawmakers in its reorganization efforts. ?Just so we?re clear, do you agree with me that DHS can?t move forward on at least certain parts of this reorganization without Congressional authorization under the Homeland Security Act?? Ratcliffe pressed. ?Absolutely,? Spaulding answered, confirming that DHS Secretary Jeh Johnson agreed. Spaulding was explicitly conciliatory throughout the hearing, emphasizing that her agency intended to work with lawmakers throughout the ongoing development of its plans. In mid-September, committee members sent a letter to the agency demanding more detail on the leaked proposal that surfaced over the summer. ?Despite multiple media reports on the proposal to reorganize NPPD and numerous requests for information from our staff, we have yet to receive any specific details from the department,? the letter read. Homeland Security Chairman Michael McCaul (R-Texas) referenced the letter on Wednesday and admonished that any reorganization ?should be done in full collaboration with the Congress and specifically with this committee.? The comments come amid a broader push by committee members to increase Congressional direction over DHS. It has shepherded through a number of pieces of legislation aimed at reforming the agency. On Tuesday, the House passed a bill brought by committee member Rep. Cedric Richmond (D-La.) requiring DHS to develop a formal cybersecurity strategy. ?For far too long, key elements of DHS have operated without proper direction from Congress and we will continue to find a way DHS can operate more efficiently to safeguard our nation,? McCaul said in a Sept. 30 statement. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 8 07:30:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Oct 2015 08:30:15 -0400 Subject: [Infowarrior] - Purdue University Completely Freaks Out Because Bart Gellman's Speech Message-ID: (pathetic but totally predictable I think. --rick) Purdue University Completely Freaks Out Because Bart Gellman's Speech Shows Classified Snowden Docs Already Seen By Millions https://www.techdirt.com/articles/20151007/16463332473/purdue-university-completely-freaks-out-because-bart-gellmans-speech-shows-classified-snowden-docs-already-seen-millions.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 8 10:57:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Oct 2015 11:57:33 -0400 Subject: [Infowarrior] - Groups Issue Warning: Pro-Corporate TPP Could Kill the Internet Message-ID: <4904629A-D224-4B4F-96D9-C4BD60DEE036@infowarrior.org> (Waiting for POTUS to proclaim "if you like your Internet, you can keep it" when defending the secret Obamatrade bill to the US public ..... ---rick) Groups Issue Warning: Pro-Corporate TPP Could Kill the Internet byDeirdre Fulton, staff writer http://www.commondreams.org/news/2015/10/06/groups-issue-warning-pro-corporate-tpp-could-kill-internet The "disastrous" pro-corporate trade deal finalized Monday could kill the Internet as we know it, campaigners are warning, as they vow to keep up the fight against the Trans Pacific Partnership (TPP) agreement between the U.S. and 11 Pacific Rim nations. "Internet users around the world should be very concerned about this ultra-secret pact," said OpenMedia's digital rights specialist Meghan Sali. "What we?re talking about here is global Internet censorship. It will criminalize our online activities, censor the Web, and cost everyday users money. This deal would never pass with the whole world watching?that?s why they?ve negotiated it in total secrecy." "The TPP will criminalize our online activities, censor the Web, and cost everyday users money. This deal would never pass with the whole world watching?that?s why they?ve negotiated it in total secrecy." ?Meghan Sali, Open Media TPP opponents have claimed that under the agreement, "Internet Service Providers could be required to 'police' user activity (i.e. police YOU), take down Internet content, and cut people off from Internet access for common user-generated content." Among the deal's provisions are rules that could criminalize file-sharing, whistleblowing, and breaking digital locks, even for legitimate purposes. Of course, because the contents of the pact have been negotiated largely in secret, the exact implications of the TPP on user rights is yet to be seen. However, Electronic Frontier Foundation's (EFF) Maira Sutton wrote on Monday, "We have no reason to believe that the TPP has improved much at all from the last leaked version released in August, and we won't know until the U.S. Trade Representative releases the text. So as long as it contains a retroactive 20-year copyright term extension, bans on circumventing DRM, massively disproportionate punishments for copyright infringement, and rules that criminalize investigative journalists and whistleblowers, we have to do everything we can to stop this agreement from getting signed, ratified, and put into force." Furthermore, "The fact that close to 800 million Internet users' rights to free expression, privacy, and access to knowledge online hinged upon the outcome of squabbles over trade rules on cars and milk is precisely why digital policy consideration[s] do not belong in trade agreements," Sutton added, referring to the auto and dairy tariff provisions that reportedly held up the talks. "The fact that close to 800 million Internet users' rights to free expression, privacy, and access to knowledge online hinged upon the outcome of squabbles over trade rules on cars and milk is precisely why digital policy consideration[s] do not belong in trade agreements." ?Maira Sutton, EFF With a major protest against the TPP and other secret trade deals planned for November in Washington, D.C., EFF is crowdsourcing slogans related to how the TPP threatens digital rights and freedoms around the world. "Successive leaks of the TPP have demonstrated that unless you are a big business sector, the [U.S. Trade Representative, or USTR] simply doesn't care what you have to say," wrote EFF's Jeremy Malcolm. "Enough's enough," reads the group's call-to-action. "The time for whitepapers and presentations is past. The USTR has failed us, so now it's time for the public to rise up and take their message about the TPP's threats to user rights to Congress, which has the ultimate authority to approve or reject the deal for the United States." -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 8 13:47:43 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Oct 2015 14:47:43 -0400 Subject: [Infowarrior] - Gellman recounts the Purdue security fiasco Message-ID: <3FE25F58-3903-4898-BB74-F8C3E1A296D1@infowarrior.org> Scholarship, Security and ?Spillage? on Campus By Barton Gellman This is an adventure in classified speech at an academic conference. If you know a story like it on another campus, please get in touch. Send an email or use my secure contacts for greater privacy. On September 24 I gave a keynote presentation at Purdue University about the NSA, Edward Snowden, and national security journalism in the age of surveillance. It was part of the excellent Dawn or Doom colloquium, which I greatly enjoyed. The organizers live-streamed my talk and promised to provide me with a permalink to share. After unexplained delays, I received a terse email from the university last week. Upon advice of counsel, it said, Purdue ?will not be able to publish your particular video? and will not be sending me a copy. The conference hosts, once warm and hospitable, stopped replying to my emails and telephone calls. I don?t hold it against them. Very likely they are under lockdown by spokesmen and lawyers. Naturally, all this piqued my curiosity. With the help of my colleague Sam Adler-Bell, I think I have pieced together most of the story... < - > https://medium.com/@tcfdotorg/scholarship-security-and-spillage-on-campus-15aa8fb8f38 -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 8 17:12:31 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 8 Oct 2015 18:12:31 -0400 Subject: [Infowarrior] - OT: Help Wanted (humor?) Message-ID: <7656EFB4-2E79-4DD9-BE09-6AF7249B2254@infowarrior.org> http://www.theguardian.com/us-news/ng-interactive/2015/oct/08/us-house-speaker-wanted-ad-guardian HELP WANTED IMMEDIATE OPENING - SPEAKER, US House of Representatives (Washington, DC) compensation: $223,500 employment type: full-time One-time historic opportunity to lead an entire house of Congress NEVER WORK ANOTHER WEEKEND ? Full-time salary and benefits for extremely part-time work in gorgeous National Capitol ? Gluttony for punishment and lackluster organizational skills a must ? Confidence on camera a plus ? And for the Love of God know when to shut the hell up on Hannity. ? Successful applicant will have serious fundraising chops and a credible haircut. ? Are YOU a self-starter with at least 5 years? experience teaching kindergarten, domestic obedience school, encyclopedia salesmanship or equal? ? Do YOU like meetings, talking on the phone, dull inactivity and golf? ? Are YOU from a state? NEVER WORK ANOTHER WEEKEND ? The US Congress is currently accepting applications for a 62nd speaker of the House, responsible for crafting legislative strategy, humoring bug-eyed colleagues and decrying Washington gridlock while keeping things nice for the boys who write the checks. ? SECOND IN LINE FOR THE PRESIDENCY ? although that probably won?t happen. ? but you will get to golf with him ? Must be able to pretend fake deal with the president that fell through ? that was on purpose ? (required) pulse ? (preferred) current member of House of Representatives ? (clincher) Republican ? Salary $223,500 ? Oil painting of you ? Box seats for pope ? Occasional overnight work but there?s pizza ? Apply promptly ? open until filled. And possibly longer ? Principals only. Recruiters, please don't contact this job poster. ? do NOT contact us with unsolicited services or offers -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 06:07:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 07:07:53 -0400 Subject: [Infowarrior] - Megaupload Defendants Don't Need Expert Witnesses, U.S. Argues Message-ID: <5B549117-6CB6-4585-9040-4F870DB47D77@infowarrior.org> Megaupload Defendants Don't Need Expert Witnesses, U.S. Argues - TorrentFreak By Andy https://torrentfreak.com/megaupload-defendants-dont-need-expert-witnesses-u-s-argues-151009/ Kim Dotcom and his Megaupload co-defendants don't need to hire expert witnesses in the United States, the U.S. government argued today. Refuting claims that around $500,000 is needed to mount a proper extradition defense, the Crown prosecutor argued that incriminating admissions could not be trumped by technical know-how. This week the United States government continued its three-year-long effort to have Kim Dotcom, Mathias Ortmann, Finn Batato and Bram van der Kolk extradited to face multiple charges including copyright infringement, conspiracy, money laundering and racketeering. For the past several days the main extradition hearing has been hold to allow Judge Nevin Dawson to hear applications from the men detailing why the full hearing should be delayed or even stayed indefinitely. For someone who has often been associated with great wealth, it?s ironic that much of the argument this week has centered around Dotcom?s poor financial situation. Dotcom took the stand for the first time yesterday, explaining how in 2013 he?d sold his shares in Megaupload follow-up Mega for around $13m in order to fund his defense and then-fledgling Internet Party. After various grabs by Hollywood on his funds and other living expenses, little now remains. However, simple lack of funds is not the only obstacle faced by Dotcom. Thanks to an ongoing U.S.-ordered freeze on the Megaupload defendants? funds, any money freed to retain experts in the U.S. would be immediately seized. This means that appropriate experts cannot be hired and as a result the men are being denied a fair extradition hearing. According to Dotcom?s lead lawyer, U.S.-based Ira Rothken, around $500,000 is needed to recruit U.S. experts in mass data storage and related technologies. However, even if that money was released it would take up to six months to prepare the experts to give evidence. Additional funds and time are needed, he argued. But this morning in the North Shore District Court, Crown prosecutor Christine Gordon QC said that the Megaupload defendants actually need neither. Arguing on behalf of the United States, Gordon said that no amount of time and technical expertise could undo the incriminating Skype and email correspondence presented earlier in the hearing. One such discussion, between Mathias Ortmann and Bram van der Kolk, had the latter claiming that Megaupload?s growth was ?mainly based on infringement anyway.? The former operators of Megaupload believe that engaging a cloud storage expert would help their case but Gordon said that after paying known copyright infringers to upload illegal content, any testimony would be useless. ?No evidence about what other storage sites do destroys the evidence of what these individuals did and what they acknowledged to each other,? she said. ?[A stay is] only justified in the clearest of cases, and this is not such a case.? The hearing is set to continue next week. If a stay is not granted and Dotcom and colleagues are extradited and subsequently found guilty in the U.S., they face the possibility of decades in prison. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 06:08:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 07:08:45 -0400 Subject: [Infowarrior] - Obama Encryption Policy Rejects Laws Mandating Backdoors, But Leaves the Door Open for Informal Deals Message-ID: <7211376D-748C-4EC7-BECE-4CDB698E5E46@infowarrior.org> https://www.eff.org/deeplinks/2015/10/partial-victory-obama-encryption-policy-reject-laws-mandating-backdoors-leaves October 9, 2015 | By rainey Reitman Partial Victory: Obama Encryption Policy Rejects Laws Mandating Backdoors, But Leaves the Door Open for Informal Deals Obama?s position on encryption is now public, as reported by the Washington Post. According to Ellen Nakashima and Andrea Peterson of the Post, Obama ?will not ?for now?call for legislation requiring companies to decode messages for law enforcement.? Instead, the Post reports, the ?administration will continue trying to persuade companies that have moved to encrypt their customers? data to create a way for the government to still peer into people?s data when needed for criminal or terrorism investigations.? While eschewing attempts to legislatively mandate that tech companies build backdoors into their services, the president is continuing the status quo ? that is, informally pressuring companies to give the government access to unencrypted data. Basically, it?s a partial victory for those of us fighting for strong, secure, private communications online. The SaveCrypto.org coalition?representing more than 50,000 people and over 30 nonprofits and companies?has called on Obama to stand strong against attempts to undermine encryption. Specifically, the coalition states that no ?legislation, executive order, or private agreement with the government should undermine our rights.? Obama is taking a step in that direction, and that?s a victory for the technology rights activists across the globe who have come together during this campaign. But acknowledging that a law forcing companies to build backdoors into their users' data is not enough. If Obama wants to leave a legacy promoting innovation and consumer privacy, he should create a clear policy position opposing secret, and sometimes informal, agreements between the government and tech companies to undermine security and privacy. Internet users ?both in the United States and abroad?deserve to trust their digital service providers, and this step would go a long way to amending the trust rift caused by years of privacy abuses by the NSA. There?s still time for the president to do the right thing. While Obama seems to have solidified his position for now, he?s also promised to respond to any We the People petition that gets over 100,000 signatures. Help us get there, and tell Obama that undermining encryption?whether through private agreement or through law?undermines the entire Internet. Sign now. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 06:14:37 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 07:14:37 -0400 Subject: [Infowarrior] - Orwellian Citizen Score, China's credit score system, is a warning for Americans Message-ID: <142B4B6E-9659-412E-8912-70C68E026CEC@infowarrior.org> ACLU: Orwellian Citizen Score, China's credit score system, is a warning for Americans Computerworld | Oct 7, 2015 10:45 AM PT In China, every citizen is being assigned a credit score that drops if a person buys and plays video games, or posts political comments online ?without prior permission," or even if social media "friends" do so. The ACLU said the credit rating system, an Orwellian nightmare, should serve as a warning to Americans. < - > http://www.computerworld.com/article/2990203/security/aclu-orwellian-citizen-score-chinas-credit-score-system-is-a-warning-for-americans.html -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 06:25:47 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 07:25:47 -0400 Subject: [Infowarrior] - Convicted by Code Message-ID: <4322B2D1-3B02-45CB-BEA5-2D56B43C8D0C@infowarrior.org> Convicted by Code By Rebecca Wexler http://www.slate.com/blogs/future_tense/2015/10/06/defendants_should_be_able_to_inspect_software_code_used_in_forensics.html Defendants don't always have the ability to inspect the code that could help convict them. Image by Mirexon/Shutterstock Secret code is everywhere?in elevators, airplanes, medical devices. By refusing to publish the source code for software, companies make it impossible for third parties to inspect, even when that code has enormous effects on society and policy. Secret code risks security flaws that leave us vulnerable to hacks and data leaks. It can threaten privacy by gathering information about us without our knowledge. It may interfere with equal treatment under law if the government relies on it to determine our eligibility for benefits or whether to put us on a no-fly list. And secret code enables cheaters and hides mistakes, as with Volkswagen: The company admitted recently that it used covert software to cheat emissions tests for 11 million diesel cars spewing smog at 40 times the legal limit. But as shocking as Volkswagen?s fraud may be, it only heralds more of its kind. It?s time to address one of the most urgent if overlooked tech transparency issues?secret code in the criminal justice system. Today, closed, proprietary software can put you in prison or even on death row. And in most U.S. jurisdictions you still wouldn?t have the right to inspect it. In short, prosecutors have a Volkswagen problem. Take California. Defendant Martell Chubbs currently faces murder charges for a 1977 cold case in which the only evidence against him is a DNA match by a proprietary computer program. Chubbs, who ran a small home-repair business at the time of his arrest, asked to inspect the software?s source code in order to challenge the accuracy of its results. Chubbs sought to determine whether the code properly implements established scientific procedures for DNA matching and if it operates the way its manufacturer claims. But the manufacturer argued that the defense attorney might steal or duplicate the code and cause the company to lose money. The court denied Chubbs? request, leaving him free to examine the state?s expert witness but not the tool that the witness relied on. Courts in Pennsylvania, North Carolina, Florida, and elsewhere have made similar rulings. We need to trust new technologies to help us find and convict criminals but also to exonerate the innocent. Proprietary software interferes with that trust in a growing number of investigative and forensic devices, from DNA testing to facial recognition software to algorithms that tell police where to look for future crimes. Inspecting the software isn?t just good for defendants, though?disclosing code to defense experts helped the New Jersey Supreme Court confirm the scientific reliability of a breathalyzer. Short-circuiting defendants? ability to cross-examine forensic evidence is not only unjust?it paves the way for bad science. Experts have described cross-examination as ?the greatest legal engine ever invented for the discovery of truth.? But recent revelations exposed an epidemic of bad science undermining criminal justice. Studies have disputed the scientific validity of pattern matching in bite marks, arson, hair and fiber, shaken baby syndrome diagnoses, ballistics, dog-scent lineups, blood spatter evidence, and fingerprint matching. Massachusetts is struggling to handle the fallout from a crime laboratory technician?s forgery of results that tainted evidence in tens of thousands of criminal cases. And the Innocence Project reports that bad forensic science contributed to the wrongful convictions of 47 percent of exonerees. The National Academy of Sciences has blamed the crisis in part on a lack of peer review in forensic disciplines. Nor is software immune. Coding errors have been found to alter DNA likelihood ratios by a factor of 10, causing prosecutors in Australia to replace 24 expert witness statements in criminal cases. When defense experts identified a bug in breathalyzer software, the Minnesota Supreme Court barred the affected test from evidence in all future trials. Three of the state?s highest justices argued to admit evidence of additional alleged code defects so that defendants could challenge the credibility of future tests. Cross-examination can help to protect against error?and even fraud?in forensic science and tech. But for that ?legal engine? to work, defendants need to know the bases of state claims. Indeed, when federal district Judge Jed S. Rakoff of Manhattan resigned in protest from President Obama?s commission on forensic sciences, he warned that if defendants lack access to information for cross-examination, forensic testimony is ?nothing more than trial by ambush.? Rakoff?s warning is particularly relevant for software in forensic devices. Because eliminating errors from code is so hard, experts have endorsed openness to public scrutiny as the surest way to keep software secure. Similarly, requiring the government to rely exclusively on open-source forensic tools would crowd-source cross-examination of forensic device software. Forensic device manufacturers, which sell exclusively to government crime laboratories, may lack incentives to conduct the obsessive quality testing required. To be sure, government regulators currently conduct independent validation tests for at least some digital forensic tools. But even regulators may be unable to audit the code in the devices they test, instead merely evaluating how these technologies perform in controlled laboratory environments. Such ?black box? testing wasn?t enough for the Environmental Protection Agency to catch Volkswagen?s fraud, and it won?t be enough to guarantee the quality of digital forensic technologies, either. The Supreme Court has long recognized that making criminal trials transparent helps to safeguard public trust in their fairness and legitimacy. Secrecy about what?s under the hood of digital forensic devices casts doubt on this process. Criminal defendants facing incarceration or death should have a right to inspect the secret code in the devices used to convict them. Future Tense is a partnership of Slate, New America, and Arizona State University. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 11:53:52 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 12:53:52 -0400 Subject: [Infowarrior] - Wikileaks releases TPP IP chapter (EFF analysing now) Message-ID: <0B4C5D5A-B62F-43DD-99A8-3B24B34A27C0@infowarrior.org> TPP Intellectual Property Chapter Consolidated Text (October 5, 2015) https://www.eff.org/document/tpp-intellectual-property-chapter-consolidated-text-october-5-2015 -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 9 12:05:18 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 9 Oct 2015 13:05:18 -0400 Subject: [Infowarrior] - LogMeIn To Acquire LastPass For $125 Million Message-ID: LogMeIn To Acquire LastPass For $125 Million (lastpass.com) 13 Posted by Soulskill on Friday October 09, 2015 @12:25PM from the consolidating-security dept. An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction. http://news.slashdot.org/story/15/10/09/1459242/logmein-to-acquire-lastpass-for-125-million -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 12 08:38:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Oct 2015 09:38:53 -0400 Subject: [Infowarrior] - Computers, Freedom, and Privacy 2015 Message-ID: Computers, Freedom, and Privacy 2015 By Richard Forno on October 12, 2015 at 6:36 am https://cyberlaw.stanford.edu/blog/2015/10/computers-freedom-and-privacy-2015 I am heading to (and speaking at) the 25th Anniversary Computers, Freedom, and Privacy (CFP) 2015 this week over in Alexandria, VA. Looking forward to seeing old friends, colleagues, and meeting new folks interested in exploring the intersection of policy, technology, and action. On Day 2 (Wed) I am moderating a late-afternoon panel session with fellow CIS Affiliate Dr. Andrea Matwyshyn (Northeastern University) and Mr. Patrick McDonald (Google) entitled, "Is There a Meaningful Solution for Security Disclosure in a Democratic Society?" There, we will discuss the current state of security vulnerability disclosure practices (e.g., bug bounty programs, public-private partnerships, and disclosure practices, including 0-days) and how existing and proposed initiatives/legislation (e.g., DMCA, CFAA,SOPA, CISA, fusion centers) can influence this process and Internet security. We hope to provide an objective and operational understanding of this critical and complex issue and expect to provide an interactive forum to identify potentially acceptable solutions for all involved stakeholders. The overall CFP 2015 agenda[1] looks promising, and is kicked off by a Day 1 morning keynote by Edward Snowden. Per the conference website, CFP 2015 will focus on the growing tensions between, on the one hand, maturing information technology and its benefit to innovation and free speech online and, on the other, the threat that technology poses in areas as diverse as consumer privacy, racially biased policing, political dissent worldwide and, indeed, to the teeming marketplace of digital speech and association enabled by that very technology. See you there! [1] http://www.cfp.org/2015/wiki/index.php/Conference_Schedule -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 13 11:10:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 12:10:06 -0400 Subject: [Infowarrior] - A 'cyber Pearl Harbor' could mean new security mandates In-Reply-To: <1591487597.3143784.1444748329051.JavaMail.yahoo@mail.yahoo.com> References: <75F372962CFA3D4480FF57515DE883B2545337@006FCH1MPN2-003.006f.mgd2.msft.net> <1591487597.3143784.1444748329051.JavaMail.yahoo@mail.yahoo.com> Message-ID: AHA! The first reference to a 'Cyber Pearl Harbor' uttered by a politician this month of cyber-mania. Took longer than I expected, I might add. -- It's better to burn out than fade away. > A 'cyber Pearl Harbor' could mean new security mandates > Lawmaker warns that lack of cybersecurity standards in government and private sector is ?of great concern.? New regulations could rankle the tech industry. > By Kenneth Corbin > CIO | Oct 12, 2015 5:51 AM PT > http://www.cio.com/article/2991484/cyber-attacks-espionage/a-cyber-pearl-harbor-could-mean-new-security-mandates.html#tk.rss_all > WASHINGTON -- If businesses don't put in place stronger cybersecurity defenses, Congress might do it for them. > That's the warning from Rep. Gerry Connolly (D-Va.), a prominent voice in Congress on IT issues, who cautions if the firms that oversee critical infrastructure such as the electric grid are hit with a catastrophic cyberattack, lawmakers could be compelled to impose new regulations that could rankle the industry. > "I will tell you this: In the event of a cyber Pearl Harbor, the public will demand that Congress regulate, and standards will be imposed and there'll be no getting around that," Connolly said in remarks at a recent meeting of theCloud Computing Advisory Caucus, which he co-chairs. "And if we want to avoid that, we've got to try to encourage [the] private sector to set very high standards that they voluntarily agree to try to meet." > Connolly's warning is not directed only at industry, however. > [ Related: Congress probes Internet of Things privacy, security ] > Better cybersecurity standards needed in all sectors > Government agencies, too, must make strides to shore up their IT defenses, an issue that was put into sharp relief by the recently disclosed breach of the Office of Personnel Management (OPM), which compromised the personal information of millions of current and former government employees -- including Connolly, who says that on three occasions criminals have attempted to open fraudulent accounts in his name. > "There is some progress, but the OPM breach really exposed us for the vulnerabilities we have," Connolly says of that attack. "It is not surprising that somebody who saw the vulnerability and exploited it, and so 22-plus million folks who served in the federal government, applied for federal jobs, had a security clearance, left federal service and returned have had their personal information hacked." > Connolly laments that too many government systems -- including OPM's -- fall into the realm of legacy IT, which not only carries considerable maintenance costs, but is also more difficult to secure against a stream of ever-evolving threats. > It is often difficult to determine the culprit in a cyber incident, but in the case of the OPM breach, Connolly points to the Chinese People's Liberation Army as the likely agent, saying that state-sponsored attacks are now "elevated to a major foreign policy concern." > Connolly notes Chinese President Xi Jinping's recent visit to Washington, which produced a bilateral economic framework that included certain cybersecurity commitments, including the pledge not to support the theft of intellectual property or trade secrets. > [ Related: NSA chief warns cyberthreats persist despite China accord ] > Like many in Congress, however, Connolly takes a somewhat skeptical view of the potential impact of that accord. > "We'll see if it takes," he says. "But I can only tell you from a foreign policy perspective this is going to become more and more central in our relations with a number of other [nations] -- North Korea, Iran, Russia and, of course, China." > Domestically, he sees more room for cooperation between the government and the business community, observing that both sectors are coming under the same types of attacks from common adversaries, and could each benefit by sharing information about emerging threats. > [ Related: Tech startups need to get serious about security ] > But beyond information sharing -- an area where there is broad agreement that both the public and private sectors could do a better job -- Connolly knocks both government and industry for failing to develop a strong, broadly adopted cybersecurity framework. > "The multiplicity of standards, the lack of uniformity of standards both within the federal government and, frankly, in the private sector is of great concern," he says. > Though he cautions that a disastrous attack -- the sort takes down major swaths of critical infrastructure -- could prompt lawmakers to take action on cybersecurity legislation, Connolly acknowledges that movement on the issue on Capitol Hill has been slow. > "What's really interesting in Congress is, candidly, we really haven't done much," he says. From rforno at infowarrior.org Tue Oct 13 12:47:50 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 13:47:50 -0400 Subject: [Infowarrior] - DHS may relaunch 'Rainbow Brite' alert scheme Message-ID: <0F5EEA47-175B-4135-8FD4-385AEC559116@infowarrior.org> (Our tax dollars, hard at work keeping up appearances, as usual. --rick) In Chattanooga?s Wake, DHS Wants to Revive Terrorism Alert System 12:47 PM ET By Kevin Baron http://www.defenseone.com/management/2015/10/chattanoogas-wake-dhs-wants-revive-terrorism-alert-system/122748/ President Barack Obama?s top homeland security official has ordered a review of the nation?s terrorism alert system to reflect what he called the growing threat of attacks originating within the United States. The U.S. has never used the National Terrorism Alert System, a two-level system that replaced the oft-derided color-coded terrorism alerts installed after 9/11 to spread the word about potential attacks from abroad. But after a ?homegrown violent extremist? killed five service members in Chattanooga, Tenn. ? and amid the expectation of more terrorist-inspired attacks ? the Department of Homeland Security wants to revise and jumpstart the system. ?I?ve asked our folks to consider whether we should revise that system to accommodate how the terrorism threat has evolved,? DHS Secretary Jeh Johnson said Tuesday at the annual meeting of the Association of the U.S. Army in Washington, D.C.?That review is underway now.? Instead of the post-9/11 green-to-red progression, the NTAS has just two states of alert. An ?elevated threat? means there is a credible threat against the United States. An ?imminent threat? alerts the public to just that, ?a credible, specific, and impending terrorist threat against the United States.? Under the old system, DHS took much criticism that the nation was being held on constant orange alert for no good reason. But the department has since been criticized for never issuing any alerts. U.S. intelligence and national and local law enforcement officials have opted to keep the public in the dark to avoid panic with a sudden terrorism alert. The review is the latest of several new security measures DHS enacted since last year to address the growing threat of terrorism that originates within the borders of the U.S., rather than from abroad. ?There is a new reality,? Johnson said at AUSA. ?The global terrorist threat has evolved from terrorist-directed to terrorist-inspired attacks,? he said. Johnson also highlighted the department?s focus on stopping foreign fighters from entering the U.S., particularly through via the 38 Visa Waiver countries where so many have originated. Later, Johnson was asked to assess how DHS would handle the coming influx of up to 10,000 Syrian refugees in this fiscal year. Johnson said the department has improved its ability to vet them using intelligence databases while meeting international commitments with the United Nations. ?We want to do more; we believe we need to do more,? he said. ?I?m committed to doing that and to ensuring that those that are resettled are vetted property and receiving the appropriate security review.? ?We?ve gotten better at that over the last couple of years, but it is a time-consuming process and one of the challenges that we?ll have is that we?re not going to know a whole lot about the individual refugees that come forward.? Kevin Baron is executive editor of Defense One. For more than 15-years in Washington?s defense, national security and foreign affairs scene, Baron has covered the military, the Pentagon, Congress and politics for Foreign Policy, National Journal, Stars and Stripes, the Boston Globe?s Washington ... Full Bio -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 13 14:33:56 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 15:33:56 -0400 Subject: [Infowarrior] - fw: [IP] Contact AT&T's CEO, hear back from his lawyer References: <202E22B2-6D39-4AC4-9631-1A3EF07557AA@gmail.com> Message-ID: > Begin forwarded message: > > From: "David Farber" > Subject: [IP] Contact AT&T's CEO, hear back from his lawyer > Date: October 13, 2015 at 3:17:33 PM EDT > To: "ip" > Reply-To: dave at farber.net > > > > Begin forwarded message: > > From: the keyboard of geoff goodfellow > > Date: October 13, 2015 at 2:49:06 PM EDT > > Subject: Contact AT&T's CEO, hear back from his lawyer > > Contact AT&T's CEO, hear back from his lawyer > ?By David Lazarus ? > LA Times > > ?Oct 13, 2015? > > AT&T's Code of Business Conduct declares that "our customers should always know we value them" and that "we listen to our customers." > > But you might want to think twice before offering suggestions to the company's chief executive, Randall Stephenson, about how AT&T can improve its Internet and wireless services. > > El Sereno resident Alfred Valrie, 35, found himself in the cross hairs of a top AT&T lawyer after recently emailing Stephenson with two simple ideas for improving customer satisfaction: unlimited data for DSL users and 1,000 text messages for $10 a month. > > "I just wanted to give him something to mull over," Valrie told me. "I never thought I'd get a letter from a lawyer." > > Nobody would. Consumers are routinely assured by businesses that their feedback is valued and that their opinions matter. > > A Google search for "your opinion matters" will return about 700,000 listings, with almost all top results being companies soliciting the thoughts of customers. > > "Every firm is concerned about having open lines of communication with customers," said Eric T. Anderson, a marketing professor at Northwestern University. > > "This is how you know if your products or services are on course," he said. "To not listen to customers is like a pilot flying blind." > > Valrie would seem the ideal AT&T customer. He gets the full package from the company ? home phone, wireless, Internet and satellite TV. > > "I'm a quadruple customer," Valrie said. "And I've been happy with their service." > > It was in that spirit that he decided to offer his two cents for some minor improvements. Valrie went online and tracked down Stephenson's email address. He sent the following message: > > "Hi. I have two suggestions. Please do not contact me in regards to these. These are suggestions. Allow unlimited data for DSL customers, particularly those in neighborhoods not serviced by U-verse. Bring back text messaging plans like 1,000 Messages for $10 or create a new plan like 500 Messages for $7. > > "Your lifelong customer, Alfred Valrie." > > You'd think any CEO would be thrilled to receive an email like that. A long-term customer is sufficiently engaged with the company to offer advice on how things could be even better. > > Stephenson, however, referred Valrie's email to AT&T's legal department, which unleashed Thomas A. Restaino, chief intellectual property counsel. > > Restaino thanked Valrie for being a lifelong customer. Then he adopted an adversarial tone. > > "AT&T has a policy of not entertaining unsolicited offers to adopt, analyze, develop, license or purchase third-party intellectual property ... from members of the general public," Restaino said. > > "Therefore, we respectfully decline to consider your suggestion." > > They wouldn't even consider what a customer had to say? That's a fine how-do-you-do. > > After Valrie shared AT&T's letter with me, I assumed the company made a mistake and would no doubt apologize as soon as I brought it to their attention. > > But no mistake had been made. Georgia Taylor, a company spokeswoman, said the response to Valrie was quite deliberate. > > "In the past, we've had customers send us unsolicited ideas and then later threaten to take legal action, claiming we stole their ideas," she explained. "That's why our responses have been a bit formal and legalistic. It's so we can protect ourselves." > > To call AT&T's stance tone deaf would be an understatement. This is the sort of ham-fisted corporate overreaction that serves no purpose but to keep customers at arm's length. > > Had Valrie been offering a patented idea for overhauling AT&T's operations, then perhaps the company's defensive posture would be understandable. But, as he said twice in his email, he was merely making suggestions and expected no follow-up on AT&T's part. > > "AT&T missed a huge opportunity with this customer," said Andrea Godfrey Flynn, an associate marketing professor at the University of San Diego. "They may have jeopardized a long-term relationship and could end up driving him to a competitor." > > This isn't the first time AT&T has stumbled in this way. In 2010, the company apologized after threatening legal action against a customer who had griped in an email to Stephenson about not qualifying for an iPhone discount. > > The customer was told that "if you continue to send emails to Randall Stephenson, a cease-and-desist letter may be sent to you." > > AT&T still hasn't learned how to play nice with customers. > > Taylor, the company spokeswoman, said AT&T "will take a look at our processes to see where we can do better going forward." > > I have an idea. Read all emails and letters from customers carefully and don't go nuts when they're just offering some constructive feedback. (Note to AT&T lawyers: That was just a suggestion on my part; no need to break out the pitchforks.) > > And to AT&T customers, I say whatever you do, don't send your thoughts to Stephenson at his direct work email address, rs2982 at att.com . > > http://www.latimes.com/business/la-fi-lazarus-20151013-column.html > -- > Geoff.Goodfellow at iconia.com > living as The Truth is True -------------- next part -------------- An HTML attachment was scrubbed... URL: From rforno at infowarrior.org Tue Oct 13 14:47:33 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 15:47:33 -0400 Subject: [Infowarrior] - =?utf-8?q?There=27s_No_DRM_in_JPEG=E2=80=94Let=27?= =?utf-8?q?s_Keep_It_That_Way?= Message-ID: October 13, 2015 | By Jeremy Malcolm There's No DRM in JPEG?Let's Keep It That Way https://www.eff.org/deeplinks/2015/10/theres-no-drm-jpeg-lets-keep-it-way If you have ever tried scanning or photocopying a banknote, you may have found that your software?such as Adobe Photoshop, or the embedded software in the photocopier?refused to let you do so. That's because your software is secretly looking for security features such as EURion dots in the documents that you scan, and is hard-coded to refuse to let you make a copy if it finds them, even if your copy would have been for a lawful purpose. Now imagine if you had the same problem with any image that you found online?that your computer wouldn't let you make a copy of Gene Wilder when making a image macro, or would stop you from reposting photos from an online catalog to your Pinterest account, or would prevent an artist from using a digital photograph as the basis for a new artwork. That's essentially what the JPEG Committee is discussing today in Brussels, when considering a proposal to add DRM to the JPEG image format. The professional version of the JPEG format, JPEG 2000, already has a DRM extension called JPSEC. But usage of JPEG 2000 is limited to highly specialized applications such as medical imaging, broadcast and cinema image workflows, and archival, therefore the availability of DRM in JPEG 2000 hasn't affected the use of images online, where the legacy JPEG format remains dominant. Now, the JPEG Privacy and Security group is considering essentially backporting DRM to legacy JPEG images, which would have a much broader impact on the open Web. EFF attended the group's meeting in Brussels today to tell JPEG committee members why that would be a bad idea. Our presentation explains why cryptographers don't believe that DRM works, points out how DRM can infringe on the user's legal rights over a copyright work (such as fair use and quotation), and warns how it places security researchers at legal risk as well as making standardization more difficult. It doesn't even help to preserve the value of copyright works, since DRM-protected works and devices are less valued by users. This doesn't mean that there is no place for cryptography in JPEG images. There are cases where it could be useful to have a system that allows the optional signing and encryption of JPEG metadata. For example, consider the use case of an image which contains personal information about the individual pictured?it might be useful to have that individual digitally sign the identifying metadata, and/or to encrypt it against access by unauthorized users. Applications could also act on this metadata, in the same way that already happens today; for example Facebook limits access to your Friends-only photos to those who you have marked as your friends. Currently some social media sites, including Facebook and Twitter, automatically strip off image metadata in an attempt to preserve user privacy. However in doing so they also strip off information about authorship and licensing. Indeed, this is one of the factors that has created pressure for a DRM system that could to prevent image metadata from being removed. A better solution, not requiring any changes to the JPEG image format, would be if platforms were to give users more control over how much of their metadata is revealed when they upload an image, rather than always stripping it all out. We encourage the JPEG committee to continue work on an open standards based Public Key Infrastructure (PKI) architecture for JPEG images that could meet some of the legitimate use cases for improved privacy and security, in an open, backwards-compatible way. However, we warn against any attempt to use the file format itself to enforce the privacy or security restrictions that its metadata describes, by locking up the image or limiting the operations that can be performed on it. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 13 15:23:55 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 16:23:55 -0400 Subject: [Infowarrior] - James Comey's 'Going Dark' spin continues Message-ID: <1BB2A4D6-5291-453F-8B4B-2CAB754E3E56@infowarrior.org> James Comey Says 'Dozens' Of Terrorists Have Eluded The FBI Thanks To Encryption https://www.techdirt.com/articles/20151011/21185732508/james-comey-says-dozens-terrorists-have-eluded-fbi-thanks-to-encryption.shtml -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 13 17:47:14 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Oct 2015 18:47:14 -0400 Subject: [Infowarrior] - NYPD has super-secret X-ray vans Message-ID: <4B0C700C-5EE8-4BD1-8EE0-577B9BBA6C56@infowarrior.org> NYPD has super-secret X-ray vans By Yoav Gonen and Shawn Cohen http://nypost.com/2015/10/13/nypd-has-secret-x-ray-vans/ Police Commissioner Bill Bratton won?t let the NYCLU ? or anyone else ? bully him for details on the NYPD?s super-secret X-ray vans. The top cop was asked Tuesday about the counter-terror vehicles, called Z Backscatter Vans, in light of the NYCLU?s request to file an amicus brief arguing that the NYPD should have to release records about the X-ray vans. ?They?re not used to scan people for weapons,? Bratton insisted. ?The devices we have, the vehicles if you will, are all used lawfully and if the ACLU and others don?t think that?s the case, we?ll see them in court ? where they?ll lose! At this time and the nature of what?s going on in the world, that concern of theirs is unfounded.? He declined to give more specific details about the devices themselves. ?Those are issues I?d prefer not to divulge to the public at this time,? Bratton said. ?I will not talk about anything at all about this ? it falls into the range of security and counter-terrorism activity that we engage in.? The website ProPublica filed suit against the NYPD three years ago after an investigative journalist?s requests for police reports, training materials and health tests related to the X-rays were denied. New York State Supreme Court Judge Doris Ling-Cohan ruled that the department should have to turn over the records, despite the NYPD?s arguments that disclosing that information could interfere with investigations. ?While this court is cognizant and sensitive to concerns about terrorism, being located less than a mile from the 9/11 site, and having seen firsthand the effects of terrorist destruction, nonetheless, the hallmark of our great nation is that it is a democracy, with a transparent government,? the judge wrote in the December 2014 decision. The NYPD appealed that decision ? and now the NYCLU has requested to file an amicus brief urging the appeals court to uphold the lower court?s original ruling. ?People should be informed if military grade x-ray vans are damaging their health with radiation or peering inside their homes or cars,? said NYCLU Executive Director Donna Lieberman. ?New Yorkers have a right to protect their health, welfare and privacy.? Little is known about how the NYPD uses the high-tech machines, which reportedly cost between $729,000 and $825,000. The vans are also employed by US Customs and Border Protection to scan for drugs and explosives. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 15 08:40:59 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Oct 2015 09:40:59 -0400 Subject: [Infowarrior] - New Intercept Dump: Drones and UAVs Message-ID: <7E3D0512-C52B-4E30-965E-6E1B0C3B4857@infowarrior.org> The Intercept has obtained a cache of secret documents detailing the inner workings of the U.S. military?s assassination program in Afghanistan, Yemen, and Somalia. The documents, provided by a whistleblower, offer an unprecedented glimpse into Obama?s drone wars. https://theintercept.com/drone-papers -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 15 15:07:07 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Oct 2015 16:07:07 -0400 Subject: [Infowarrior] - Research Shows NSA Exploited Flaws to Decrypt Huge Amounts of Communications Message-ID: <4982818C-E44B-4C5C-91FD-230E8780E893@infowarrior.org> (not surpising, of course .... that's what they do. --rick) October 15, 2015 | By Andrew Crocker Research Shows NSA Exploited Flaws to Decrypt Huge Amounts of Communications Instead of Securing the Internet https://www.eff.org/deeplinks/2015/10/research-shows-nsa-exploited-flaws-decrypt-huge-amounts-communications-instead According to an award-winning paper presented at a security conference earlier this week by a group of prominent cryptographers, the NSA has used its access to vast computing power as well as weaknesses in the commonly used TLS security protocol in order to spy on encrypted communications, including VPNs, HTTPS and SSH. As two of the researchers, Alex Halderman and Nadia Heninger explained, it was previously known that the NSA had reached a ?breakthrough? allowing these capabilities. The paper represents a major contribution to public understanding by drawing a link between the NSA?s computing resources and previously known cryptographic weaknesses. For readers interested in more detail, EFF published a two-part explainer when the paper was first published in May: Part I and Part II. As we said then, the vulnerabilities described in the paper demonstrate an example of why it is a terrible idea to intentionally weaken cryptography. In this case, weaker ?export grade? encryption standards mandated in the 90?s permit attackers to man-in-the-middle many ?secure? connections. And in an even more concerning revelation, it appears that when the NSA encountered stronger ciphersuites, it used its nearly blank check budget to bring vast amounts of computing power to bear on passively decrypting intercepted communications. According to reports, the NSA brought this decryption capability online sometime before 2012. In both cases, the government has chosen to sit on and potentially weaknesses in communications tools used by the whole world rather than fix the vulnerabilities, according to a policy that the government still claims is partially classified. Weaknesses like those described in the paper demonstrate why it?s not enough for the U.S. government to give up on laws introducing backdoors into encrypted communications. We need a statement from President Obama endorsing uncompromised, strongest-available encryption to protect all users. You can take action by asking him to do that at SaveCrypto.org. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 15 15:09:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 15 Oct 2015 16:09:40 -0400 Subject: [Infowarrior] - Tech group representing Facebook, Google, Amazon comes out against CISA Message-ID: <10E3E014-E353-4874-8D9D-667C036E3B2C@infowarrior.org> Tech group representing Facebook, Google, Amazon comes out against CISA Eric Geller http://www.dailydot.com/politics/cisa-senate-ccia-amazon-facebook-google/ A group representing the most powerful American tech companies announced its opposition to a major cybersecurity bill on Thursday, lending Silicon Valley credibility to the argument against the bill just days before it is expected to receive a vote. The Computer and Communications Industry Association (CCIA), which represents Amazon, Facebook, Google, Microsoft, Yahoo, and 21 other tech companies, announced Thursday that it could not back the Cybersecurity Information Sharing Act, which the Senate is expected to take up next week. CISA would let businesses share data about cyber threats with other businesses and government agencies, with the goal of improving cyberdefense and threat-detection work in both the private and public sectors. But privacy groups and security experts have criticized the provision requiring companies to strip customer information from the data they share, alleging that it isn't strong enough to protect Americans' personal information. "CISA?s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users? privacy..." CCIA echoed that concern in its statement, saying that "CISA?s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users? privacy or appropriately limit the permissible uses of information shared with the government." The statement from CCIA, which includes many of the most influential U.S. tech firms, adds considerable muscle to the anti-CISA movement, which can now point to concerns from the very companies that the bill is designed to aid. "We're very pleased," Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told the Daily Dot in an email. "Not just because of politics but on the policy side. We and all the other privacy groups have repeatedly said that CISA needlessly compromises privacy and civil liberties. Now industry admits it, too." Sen. Ron Wyden (D-Ore.), CISA's most vocal critic in Congress, cheered CCIA's opposition in a statement his office provided to the Daily Dot. "CCIA represents some of the biggest names in tech and their opposition to the current version of CISA is a shot in the arm for those of us fighting for privacy and security," Wyden said. "These companies understand it is untenable and bad for business to enact flawed 'cybersecurity' policies that infringe on users? privacy while doing little to prevent sophisticated hacks." "By coming out against this bill," Wyden added, "CCIA?s members, including Google, Yahoo, and Facebook, have made the clear statement that they have their users? backs." Google's opposition could prove particularly potent. The search giant played a significant role in raising awareness of controversial copyright bills in January 2012, joining a massive protest that ultimately forced Congress to shelve the legislation. But until today, the search giant, with its army of lobbyists and the world's most visited homepage, had declined to take a position on CISA. A Google spokeswoman declined to comment further on the bill. Heather Greenfield, a CCIA spokeswoman, told the Daily Dot that the group checked with its members before drafting the statement. "When we do this sort of thing the members who care about the issue, whether [it's] patent reform or cybersecurity, tend to be the ones who get back to us," she said in an email. "That was the case here." CCIA did not object to information-sharing legislation more generally, saying that narrowly tailored sharing could help detect and neutralize cyberattacks. But the group also noted that bills like CISA weren't strictly necessary. "Current legal authorities permit companies to share cyber threat indicators with the government where necessary to protect their rights and the rights of their users, and should not be discounted as useful existing mechanisms," CCIA said. Evan Greer, campaign director at the Internet-rights group Fight for the Future, pointed to the CCIA statement as evidence that "nobody wants this bill." "Not the public, not security experts, and not even the industry it?s supposed to protect," Greer said in a statement. "The safety of Internet users personal information is more fragile than ever, if Congress decides to make matters worse, everyone will know it was the result of ignorance and corruption." Microsoft, a CCIA member, and Apple, which is not part of the group, previously joined a letter from another industry group calling for some sort of information-sharing legislation, but Apple told the Daily Dot that it has concerns about CISA in its current form. Cybersecurity has climbed the ranks of Congress' many priorities amid a flurry of cyberattacks on government agencies and private companies, most notably the data breach at the Office of Personnel Management that exposed 22 million federal workers' sensitive records. But information-sharing laws like CISA would not have prevented attacks like the OPM hack, where the faults were more numerous than a lack of early warning. Tien said that the Silicon Valley companies' opposition to CISA was particularly important in light of a recent European court ruling striking down a U.S.?E.U. data-sharing agreement based on U.S. companies' inability to protect E.U. data from the NSA. "A lot of that decision was about the U.S.'s failure to have good rules and safeguards over government access to personal information held by companies," he said. "CISA exemplifies that failure, too." Senate Intelligence Committee Chairman Richard Burr (R-N.C.), CISA's chief sponsor, has aggressively rebuked critics of the bill's privacy protections. A spokeswoman for Burr declined to comment on CCIA's opposition to the bill. Update 12:34pm CT, Oct. 15: Added comment from Sen. Wyden. -- It's better to burn out than fade away. From rforno at infowarrior.org Sat Oct 17 08:42:51 2015 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 17 Oct 2015 09:42:51 -0400 Subject: [Infowarrior] - Revisiting 'Pirates of Silicon Valley' Message-ID: <6FA6B1E8-0266-4D30-A45A-7B68E4100C29@infowarrior.org> (IMHO one of the better geek movies coming out of the Dot Com days. Fun to watch, too! --rick) Revisiting 'Pirates of Silicon Valley', the original Steve Jobs movie - CNET Rich Trenholm http://www.cnet.com/news/revisiting-pirates-of-silicon-valley-the-original-steve-jobs-movie/ "I don't want you to think of this as just a film...We're rewriting the history of human thought with what we're doing." So begins the first film to dramatise the life and times of Apple founder Steve Jobs. With new biopic "Steve Jobs" in theatres soon, we look back at 1999's "Pirates of Silicon Valley". "Pirates" focuses on the heated personal rivalry between Steve Jobs of Apple and Bill Gates of Microsoft, recounting the parallel and often intertwined stories of the two companies and their tempestuous founders. Written and directed by photojournalist and documentary-maker Martyn Burke, the TV movie was based on the book "Fire in the Valley: The Making of The Personal Computer" by Paul Freiberger and Michael Swaine. It was first shown on TNT in June 1999. Noah Wyle, then in the middle of his role as Dr. Carter in "ER", plays the hippie-turned-executive Jobs. Microsoft co-founder Bill Gates is played by Anthony Michael Hall, relegated to TV after his '80s teen movie heyday but soon to have something of a career revival as the lead in "The Dead Zone". Wyle is uncannily similar to the young Apple co-founder: Jobs' real-life college buddy and Apple employee #12, Daniel Kottke, has said, "I found myself thinking it was actually Steve on the screen." But Hall's is the more interesting performance. In the popular imagination Gates is the nerd and Jobs is the visionary, but "Pirates of Silicon Valley" slyly suggests who's the winner, Hall topping Gates' awkward smirk with the steely, dead-eyed gaze of a poker player. Walter Isaacson's biography of Jobs describes Gates as one of the few people resistant to Jobs' infamous "reality distortion field", and while Jobs the mercurial visionary might dismiss his Harvard-educated rival Gates as having "no taste", the film portrays the calculating Microsoft man playing Jobs like a fiddle. "Success is a menace," says Hall as Gates. "It fools smart people into thinking they can't lose." Although it clearly lacks the Hollywood prestige of Aaron Sorkin and Danny Boyle, the men behind the new Jobs biopic, "Pirates of Silicon Valley" is shot with real verve. Cleverly opening with a recreation of Apple's iconic 1984 advert, the film keeps its potentially technical subject matter light, with visual flair from the opening monologue fake-out to the camera tracking over the chaos of a counter-cultural riot or prowling down a boardroom table. The parallel stories of the two companies are narrated by their respective co-founders Steve Wozniak and Steve Ballmer, long-time friends of Jobs and Gates. You might recognise the ebullient Ballmer's dulcet tones: he's played by John DiMaggio, the voice of Bender in "Futurama". Their narration is brought to life as Ballmer breaks the fourth wall to step out of a frozen scene and explain how Gates built his vast fortune on a lie, while Woz wanders into a Mac's graphic user interface and begins pointing stuff out. Meanwhile the collision of counterculture and technology in Silicon Valley at the time is evoked by effective 1970s and '80s music cues from The Moody Blues to Talking Heads. The film shows how these anarchic early friendships formed into effective business partnerships, each player balancing the other's strengths and weaknesses. The brilliant but shy Wozniak needs Jobs' understanding of people to sell his inventions, while Ballmer's fast-talking sales patter supports Gates' somewhat chaotic inventiveness. One comic scene sees Ballmer solving the problem of Gates forgetting his tie by climbing a bathroom stall and attempting to buy the tie from around the neck of a startled businessman. These young turks take LSD, race stolen bulldozers and operate out of garages and seamy motels. Depicted as a winning combination of youthful iconoclasm and technical brilliance, they're presented in deliberate contrast to the stuffed shirts of the then big computer companies IBM and Xerox, who are comically unaware of the way the wind is blowing. And as the title suggests these bright young men really are pirates, frequently plundering other companies and scamming or outright stealing their way to success. Jobs' Macintosh team really did fly a customised Jolly Roger flag over the Apple campus, and Jobs really did say, "It's more fun to be a pirate than to join the navy." The only person portrayed in the film as aware of the new danger is also the only woman in the film who is a part of the technology side of the story, a Xerox project manager who appears in just one scene and isn't even named. Sassily essayed by the late Holly Lewis, the character is based on real-life Xerox employee Adele Goldberg, who (correctly) warned against allowing the Apple boys to look at Xerox PARC technology. Fans of "The Walking Dead" may also recognise Melissa McBride, who plays Carol in AMC's zombie show, as Elizabeth Holmes, who went to college with Jobs and was an early Apple employee. "Pirates" is focused on recounting events rather than getting into the heads of its characters, so there's not a great deal of insight into their motivations. But the film doesn't shrink from the darker side of Jobs' character when depicting his transformation from bearded hippie to bow tie-wearing multimillionaire. A college drop-out with a fascination for mind-expanding drugs and zen philosophy, Jobs could be paradoxically obnoxious, cold and vindictive, in both his personal and professional lives. His capricious temper is shown here as he crushes employees -- which one-time Apple marketing chief Mike Murray called "management by character assassination" -- or destroys a potential hire by demanding "Are you a virgin?", a question he startled people with on more than one occasion in real life. His callousness is seen as he shuts out his friends, who had helped him build Apple, from the stock issue that made him vastly wealthy. And most damningly, he's shown denying he's the father of his daughter from a relationship with a fictional version of Jobs' real-life girlfriend, Crissan Brennan. Jobs is clearly portrayed as thriving on conflict, but his delight in turning his own company against itself leads directly to his downfall. It's worth remembering that "Pirates" was made in 1999, and back then Gates really did look like the winner between the two. At the time, Microsoft unassailably dominated the personal computer world. Jobs had been unceremoniously ousted from Apple a couple of years earlier, and although he had returned, his company had been making huge losses. By 1999 the iMac was a hit and Apple was taking its first steps towards becoming the cultural phenomenon it is today, but "Pirates of Silicon Valley" predates that global success: it was made before the iPod, before the iPhone, before Jobs adopted his famous black turtleneck uniform and cult leader status. As such the film is an enjoyable primer on the foundation of Apple (and Microsoft) and an interesting look at the first act of the Jobs legend. Perhaps the new "Steve Jobs" movie will shed more light on the second act. You can watch "Pirates of Silicon Valley" on DVD or Google Play in the US, and Amazon Instant Video in the UK. It doesn't appear to be available in Australia. -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 19 10:44:30 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Oct 2015 11:44:30 -0400 Subject: [Infowarrior] - Most Americans would be fine with some Internet surveillance if they were notified Message-ID: <8FFA64D1-E21A-4046-B172-0BD83C3799E3@infowarrior.org> Politics Most Americans would be fine with some Internet surveillance if they were notified By Patrick Howell O'Neill Oct 19, 2015, 6:13am CT | Last updated Oct 19, 2015, 6:17am CT Despite increasingly heated rhetoric from opponents of government surveillance, a recent survey shows that most Americans would be okay with many kinds of Internet snooping as long as the snoopers told them first. The results showed ?a surprising willingness by participants to accept the inspection of encrypted traffic, provided they are first notified," according to the researchers behind the survey, which was titled ?At Least Tell Me.? Although the respondents put up with surveillance, half of them said that they believed it constituted an invasion of privacy. Surveillance tools can create security vulnerabilities that permit hacking, illegal spying, privacy violations, and identity theft. But around 75 percent of respondents agreed that Internet service providers should be allowed to surveil traffic as long they notified users and received consent. Most respondents also agreed that employers should be able to monitor the encrypted Internet connections of employees even without notification or consent, especially when an employee used a company computer. There was less agreement when it came to employees using personal devices; approximately a third of respondents opposed surveillance in that case. In other situations?using the Internet at schools, in libraries, and on public Wi-Fi?most respondents said that surveillance was fine as long as they were told that it was happening. The one exception to the overall trend in the survey involved warrantless government surveillance, but even that issue exposed a sharp divide. Half of respondents objected outright to such spying. But 10 percent accepted it without qualification, another 10 percent said it was acceptable with notification, and a quarter of respondents said it was acceptable with consent. < -- > http://www.dailydot.com/politics/internet-surveillance-survey-notification-consent/ -- It's better to burn out than fade away. From rforno at infowarrior.org Mon Oct 19 12:46:41 2015 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 Oct 2015 13:46:41 -0400 Subject: [Infowarrior] - Teen stoner says he hacked CIA director's AOL account Message-ID: Teen stoner says he hacked CIA director's AOL account By Philip Messing, Jamie Schram and Golding http://nypost.com/2015/10/18/stoner-high-school-student-says-he-hacked-the-cia/ Hillary Rodham Clinton?s email scandal didn?t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a stoner high school student who claims to have hacked into them. CIA Director John Brennan?s private account held sensitive files ? including his 47-page application for top-secret security clearance ? until he recently learned that it had been infiltrated, the hacker told The Post. Other emails stored in Brennan?s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of ?harsh interrogation techniques? on terrorism suspects, according to the hacker. The FBI and other federal agencies are now investigating the hacker, with one source saying criminal charges are possible, law enforcement sources said. ?I think they?ll want to make an example out of him to deter people from doing this in the future,? said a source who described the situation as ?just wild? and ?crazy.? ?I can?t believe he did this to the head of the CIA,?? the source added. ?[The] problem with these older-generation guys is that they don?t know anything about cybersecurity, and as you can see, it can be problematic.? In a series of phone conversations with The Post, the hacker described himself as an American high school student who is not Muslim and was motivated by opposition to US foreign policy and support for Palestine. He wouldn?t reveal his name or say where he lived but made good on a promise to tweet ?CWA owns John Brennan of the CIA? as a means of verifying his control over the @phphax Twitter account. He explained ?CWA? stood for ?Crackas With Attitude,? which he said referred to him and a classmate with whom he smokes pot. The hacker contacted The Post last week to brag about his exploits, which include posting some of the stolen documents and a portion of Brennan?s contact list on Twitter. The hacker?s Twitter page includes the Muslim Shahada creed, which translates as, ?There is no god but Allah, Muhammad is the messenger of Allah.? He said the stolen documents were stored as attachments to about 40 emails that he read after breaking into Brennan?s account on Oct. 12, more than six months after the controversy erupted over Clinton?s use of a private computer server to handle emails while serving as secretary of state. The hacker said he used a tactic called ?social engineering? that involved tricking workers at Verizon into providing Brennan?s personal information and duping AOL into resetting his password. Brennan?s account was disabled as of Friday, he said. He claimed he has repeatedly prank-called America?s top spy since August, once reciting Brennan?s Social Security number to him. ?He waited a tiny bit and hung up,? the hacker said. And he also got into the online Comcast account of Homeland Security Secretary Jeh Johnson and posted a redacted screenshot of a billing page. He claimed that he listened to Johnson?s voicemails. In a statement, the CIA said: ?We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.? Additional reporting by Danika Fears -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 20 06:46:40 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Oct 2015 07:46:40 -0400 Subject: [Infowarrior] - Suntrust severance deal requires IT workers to be on call for two years Message-ID: (So much fail I'm not sure where to begin other than saying good luck trying to enforce this. --rick) Bank?s severance deal requires IT workers to be on call for two years Patrick Thibodeau Computerworld | Oct 19, 2015 1:18 PM PT http://www.computerworld.com/article/2994787/it-careers/bank-s-severance-deal-requires-it-workers-to-be-on-call-for-two-years.html SunTrust Banks in Atlanta is laying off about 100 IT workers as it moves work offshore. But this layoff is unusual for what it is asking of the soon-to-be displaced workers: The bank's severance agreement requires terminated employees to remain available for two years to provide help if needed, including in-person assistance, and to do so without compensation. Many of the affected IT employees, who are now training their replacements, have years of experience and provide the highest levels of technical support. The proof of their ability may be in the severance requirement, which gives the bank a way to tap their expertise long after their departure. The bank's severance includes a "continuing cooperation" clause for a period of two years, where the employee agrees to "make myself reasonably available" to SunTrust "regarding matters in which I have been involved in the course of my employment with SunTrust and/or about which I have knowledge as a result of my employment at SunTrust." The employees were informed of their layoff at the end of September, and the last day of work for some is on Nov. 1. This is according to several of the affected employees, who requested anonymity for fear of retaliation. The severance is seen by affected employees as a requirement to provide ongoing technical assistance as needed. The severance agreement itself says that this assistance from former employees "will be requested at such times and in such a manner so as to not unreasonably interfere with my subsequent employment." An employee shared the severance clause with Computerworld. This assistance can be by telephone or in-person meetings, and provided without "additional consideration or compensation of any kind," it says. "How do they think this is acceptable?" said one affected IT worker about the clause. He couldn't fathom how the bank can cut its IT staff and yet insist that former workers be available to fix problems. SunTrust, with about $189 billion in assets, declined to discuss the severance, and a spokesman said the company isn't commenting on its "HR policies or procedures." Bank employees provided the estimate of the number of workers affected by the layoff. The bank declined to provide any specifics. The bank's only comment was general: Like all businesses, "we are constantly reviewing and adjusting our staffing -- hiring in some areas while reducing in others." The goal is "to ensure we're meeting client needs effectively and efficiently," said a spokesman, in an email statement. Sara Blackwell, a Florida attorney who is representing Disney workers in a discrimination complaint after they were replaced by foreign workers, said the SunTrust "contract requires them to be on call for two years and they agree to not be paid for any time used to assist the company." However, if the company called them and did not pay them, that is "a clear violation of the Fair Labor Standards Act," she said. That law establishes wage standards. There may be exceptions for participation in certain aspects of litigation, but Blackwell said, "this clause is too broad" and is likely unenforceable. Cooperation agreements are uncommon for mid-level employees and typically apply only to C-Level executives, such as the CFO and CEO, and then usually when there is ongoing litigation, said several attorneys who handle these types of agreements. The SunTrust severance also requires the laid-off workers be available for depositions, hearings and other proceedings. Bryan Sullivan, partner at law firm Early Sullivan Wright Gizer & McRae, said cooperation agreements are usually for highly paid executives at a firm. When consulting expertise is required, there may be a separate consulting contract as part of the severance, he said. SunTrust has been working for a number of years with IT contractors that have large India and overseas operations -- including IBM and Infosys -- said bank employees. Employees said the "knowledge transfer" -- the euphemism used to describe training contractors who are taking their jobs -- is well underway and is being done both over the Web and in person. SunTrust employees said they were told to cooperate with whatever the "vendor partners" asked. The vendors have access to employee systems and are shadowing them in their day-to-day work. Contractors with H-1B visas are also being used at the worksite, according to Labor Condition Application filings, which attest to wage level and worksite location. SunTrust workers have been filing Trade Adjustment Assistance (TAA) applications for several years, citing a shift of work to India or jobs lost as a result of foreign outsourcing. TAA provides benefits to displaced workers, such as college tuition help. The employees could not say exactly how big of a role outsourcing contractors are now playing at the bank because they don't know the bigger picture. But they did observe that in IT offices many of the workers appeared to be Indian or from that part of the globe. Patrick Thibodeau ? Senior Editor Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. ? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 20 12:35:00 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Oct 2015 13:35:00 -0400 Subject: [Infowarrior] - Here's Every Email the NSA Got After Asking Americans for Tips on How to Protect Privacy Message-ID: <8E550A51-3AFB-429E-BF62-97BA73514FDC@infowarrior.org> Here's Every Email the NSA Got After Asking Americans for Tips on How to Protect Privacy By Jason Leopold October 20, 2015 | 11:12 am When then-NSA director Keith Alexander gave the keynote address at the Black Hat hackers convention in Las Vegas in 2013, he made an unusual pitch to the attendees: He asked them to help the NSA come up with ways to protect Americans' privacy and civil liberties. "How do we start this discussion on defending our nation and protecting our civil liberties and privacy?" Alexander asked the crowd. "The reason I'm here is because you may have some ideas of how we can do it better. We need to hear those ideas." There were some hecklers. Alexander's appeal came just a few weeks after journalists Glenn Greenwald, Laura Poitras, and Barton Gellman first revealed details about the NSA's vast surveillance programs that targeted American citizens, information based on highly classified documents they received from former NSA contractor Edward Snowden. Still, Alexander asked the attendees ? and, on the NSA's website, all Americans ? to send their suggestions to ideas at nsa.gov. VICE News subsequently filed a Freedom of Information Act (FOIA) with the agency to find out if anyone wrote. It took the NSA nearly two years to respond.... < - > https://news.vice.com/article/heres-every-email-the-nsa-got-after-asking-americans-for-tips-on-how-to-protect-privacy -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 22 13:14:29 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Oct 2015 14:14:29 -0400 Subject: [Infowarrior] - CISA Moves Forward: These 83 Senators Just Voted To Expand Surveillance Message-ID: (actually easier to start @ the bottom of the aticle, which is shown below. --rick) CISA Moves Forward: These 83 Senators Just Voted To Expand Surveillance from the ridiculous dept https://www.techdirt.com/articles/20151022/10133932597/cisa-moves-forward-these-83-senators-just-voted-to-expand-surveillance.shtml < -- > The 14 principled votes against this bill are the following list, who should be thanked for taking a stand against expanded mass surveillance: ? Baldwin (D-WI) ? Booker (D-NJ) ? Brown (D-OH) ? Coons (D-DE) ? Franken (D-MN) ? Leahy (D-VT) ? Markey (D-MA) ? Menendez (D-NJ) ? Merkley (D-OR) ? Paul (R-KY) ? Sanders (I-VT) ? Udall (D-NM) ? Warren (D-MA) ? Wyden (D-OR) Paul had introduced an amendment that sounded pretty straightforward, effectively requiring companies to adhere to their terms of service with customers and it, too, got overwhelmingly voted down. Senator Whitehouse's really bad CFAA amendment got basically ditched (there was one tiny bit of language from it that was kept in which was basically fine). There's a chance that more amendments could be voted on on Monday, but from the sound of it, none of them have a chance. And now we have to worry about what will happen in conference when Congress tries to resolve differences between the House and Senate versions, and then see if the President signs the bill as well. Unfortunately, the Senate just did a really bad thing. -- It's better to burn out than fade away. From rforno at infowarrior.org Thu Oct 22 21:42:25 2015 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Oct 2015 22:42:25 -0400 Subject: [Infowarrior] - White House backs CISA Message-ID: White House backs controversial cyber bill By Cory Bennett - 10/22/15 06:43 PM EDT http://thehill.com/policy/cybersecurity/257831-white-house-backs-controversial-cyber-bill The White House late Thursday officially endorsed a major cybersecurity bill set for a final vote on Tuesday. The Obama administration has been informally on board with the Cybersecurity Information Sharing Act (CISA) ? which would shield companies from legal liability when sharing cyber threat data with the government ? since August, when White House spokesman Eric Schultz called on the upper chamber to swiftly move the bill. But Thursday?s statement cemented White House support for the measure that has received opposition both from President Obama?s own party and civil liberties-minded Republicans. ?An important building block for improving the nation?s cybersecurity is ensuring that private entities can collaborate to share timely cyber threat information with each other and the federal government,? said a White House memo. Many industry groups and a large bipartisan coalition of lawmakers side with the White House, arguing CISA is a necessary first step to better understanding and repelling hackers. But digital rights groups, a growing number of tech companies and privacy-minded senators in both parties are concerned the bill would allow companies to hand over troves of customers? personal data to government intelligence agencies. The White House has previously expressed similar privacy concerns about CISA. But in its statement Thursday, the administration commended CISA?s sponsors, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), for their edits to the bill, both in committee and in a manager?s amendment that is expected to pass next week. Those alterations have helped the White House come around on the bill. ?This work has strengthened the legislation and incorporated important modifications to better protect privacy,? the White House said. For months, a major sticking point for the Obama administration was how companies would share their data on hackers with the government. The White House wants all private sector data funneled through the Department of Homeland Security (DHS), which is seen as the agency best suited to scrub personal data. After some tweaks and expected clarifications, the administration seems satisfied CISA will largely achieve this goal. ?Focusing real-time sharing through one center at DHS enhances situational awareness, facilitates robust privacy controls, and helps to ensure oversight of such sharing,? the statement said. ?In addition, centralizing this sharing mechanism through DHS will facilitate more effective real-time sharing with other agencies in the most efficient manner.? But the White House did take issue with provisions that allow for some limited situations in which companies can bypass the DHS and go straight to other federal agencies. ?This remains a significant concern, and the administration is eager to work with the Congress to seek a workable solution,? it said. The White House also warned lawmakers not to authorize more exceptions to the DHS ?portal,? which could happen if the Senate approves an amendment from Sen. Tom Cotton (R-Ark.). The Senate will vote next Tuesday on Cotton's offering, which would give companies liability protections when sharing data directly with the FBI and Secret Service, a concept that?s anathema to privacy advocates. ?The administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal,? the White House cautioned. -- It's better to burn out than fade away. From rforno at infowarrior.org Fri Oct 23 20:33:27 2015 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 23 Oct 2015 21:33:27 -0400 Subject: [Infowarrior] - DoJ to Apple: iOS is licensed so we can force you to decrypt Message-ID: (And in related news, DOJ has discovered unicorns prancing in the Hoover Building's courtyard. --rick) DoJ to Apple: iOS is licensed so we can force you to decrypt posted by Thom Holwerda on Fri 23rd Oct 2015 23:11 UTC http://www.osnews.com/story/28918/DoJ_to_Apple_iOS_is_licensed_so_we_can_force_you_to_decrypt -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 27 15:07:01 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Oct 2015 16:07:01 -0400 Subject: [Infowarrior] - Latest DMCA exemptions Message-ID: Victory for Users: Librarian of Congress Renews and Expands Protections for Fair Uses https://www.eff.org/deeplinks/2015/10/victory-users-librarian-congress-renews-and-expands-protections-fair-uses The new rules for exemptions to copyright's DRM-circumvention laws were issued today, and the Librarian of Congress has granted much of what EFF asked for over the course of months of extensive briefs and hearings. The exemptions we requested?ripping DVDs and Blurays for making fair use remixes and analysis; preserving video games and running multiplayer servers after publishers have abandoned them; jailbreaking cell phones, tablets, and other portable computing devices to run third party software; and security research and modification and repairs on cars?have each been accepted, subject to some important caveats. The exemptions are needed thanks to a fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use. As software has become ubiquitous, so has DRM. Users often have to circumvent that DRM to make full use of their devices, from DVDs to games to smartphones and cars. The law allows users to request exemptions for such lawful uses?but it doesn?t make it easy. Exemptions are granted through an elaborate rulemaking process that takes place every three years and places a heavy burden on EFF and the many other requesters who take part. Every exemption must be argued anew, even if it was previously granted, and even if there is no opposition. The exemptions that emerge are limited in scope. What is worse, they only apply to end users?the people who are actually doing the ripping, tinkering, jailbreaking, or research?and not to the people who make the tools that facilitate those lawful activities. The section of the law that creates these restrictions?the Digital Millennium Copyright Act's Section 1201?is fundamentally flawed, has resulted in myriad unintended consequences, and is long past due for reform or removal altogether from the statute books. Still, as long as its rulemaking process exists, we're pleased to have secured the following exemptions. Car Security Research, Repair, and Modifications The Librarian recognized the need for vehicle owners to circumvent access restrictions in order to repair, modify, and tinker. The exemption removes the uncertainty of whether 1201 liability would attach to a range of activities that have been clearly lawful throughout most of the hundred-year history of automotive tinkering, but were called into question as an unintended consequence of copyright law. We are also pleased by the exemption for security research, which covers vehicles and many other devices. The Librarian included unnecessary limits and delays in the exemptions, but overall the ruling represent a victory for the public that will help independent security researchers evaluate automotive software, will promote competition in the vehicle aftermarket, and will support vehicle owners who wish to learn about or improve on their own cars. Jailbreaking Phones, Tablets, and More The Librarian renewed the existing exemption for jailbreaking smartphones, to allow them to run any software the user chooses. The Librarian also expanded the exemption to cover ?portable all-purpose mobile computing devices,? including tablets and smartwatches. This exemption clears up a lot of legal uncertainty for the vibrant alternative software communities that have sprung up to customize and enhance portable computing devices. We are pleased that the Librarian has erased the prior rule?s arbitrary distinction between phones and tablets. Archiving and Preserving Video Games The Librarian granted part of EFF?s new proposal for an exemption to preserve abandoned video games. The new exemption allows players to modify their copy of a game to eliminate the need for an authentication server after the original server is shut down. Museums, libraries, and archives can go a step further and jailbreak game consoles as needed to get the games working again. Disappointingly, the Librarian limited the exemption to games that can?t be played at all after a server shutdown, excluding games where only the online multiplayer features are lost. Still, this exemption will help keep many classic and beloved video games playable by future generations. Remix Videos From DVD and Blu-Ray Sources The Librarian effectively renewed the existing exemption for noncommercial remix videos, and expanded it to cover circumvention of DRM on Blu-Ray discs. Opponents had argued (as they have before) that remix videos are ?generally infringing? and that artists should make do with whatever they can acquire through video capture or by pointing their smartphone at a screen. In fact, remix is widely recognized as a thriving genre of fair use used for all kinds of valuable political and cultural commentary and expression. Equally obviously, high quality source is essential to making the creation of persuasive, compelling works, whether those works be documentaries, Hollywood blockbusters, or short form videos. Thanks to today?s exemption remixers will be able to continue to make their art using the best quality source material. The new rules are long and complicated, and we'll be posting more details about each as we get a chance to analyze them. In the meantime, we hope each of these exemptions enable more exciting fair uses that educate, entertain, improve the underlying technology, and keep us safer. A better long-terms solution, though, is to eliminate the need for this onerous rulemaking process. We encourage lawmakers to support efforts like the Unlocking Technology Act, which would limit the scope of Section 1201 to copyright infringements?not fair uses. And as the White House looks for the next Librarian of Congress, who is ultimately responsible for issuing the exemptions, we hope to get a candidate who acts?as a librarian should?in the interest of the public's access to information. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 27 15:07:06 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Oct 2015 16:07:06 -0400 Subject: [Infowarrior] - Senate Rejects All CISA Amendments Designed To Protect Privacy, Reiterating That It's A Surveillance Bill Message-ID: <60C4FC48-B06A-469A-8E1A-8FA1637D1ABD@infowarrior.org> Senate Rejects All CISA Amendments Designed To Protect Privacy, Reiterating That It's A Surveillance Bill from the the-exclamation-point dept https://www.techdirt.com/articles/20151027/11172332650/senate-rejects-all-cisa-amendments-designed-to-protect-privacy-reiterating-that-surveillance-bill.shtml In case you weren't already convinced that CISA is a surveillance bill masquerading as a cybersecurity bill, today the Senate rejected four separate amendments to the bill that attempted to better protect the privacy of Americans. Senator Wyden had an amendment to require the removal of personal information before information could be shared, which was voted down 55 to 41. Senator Heller had an amendment that was basically a backstop against the Wyden amendment, saying that if the Wyden amendment didn't pass, Homeland Security would be responsible for removing such personal information. That amendment also failed by a 49 to 47 vote. Senator Leahy had an amendment that would have removed FOIA exemptions in the bill (making it much less transparent how CISA was used). That amendment was voted down 59 to 37. Senator Franken then had an amendment that would have "tightened" the definition of cybersecurity threats, so that the shared information needed to be "reasonably likely" to cause damage, as opposed to the current "may" cause damage. And (you guess it, because you're good at this), it was also voted down by a 60 to 35 vote. Meanwhile, Marcy Wheeler notes that the revised version of the bill by Senators Burr and Feinstein, which claimed to incorporate greater transparency requirements proposed by Senator Tester, actually takes away a lot of transparency and actually makes it more difficult for Congress to learn whether or not CISA is being used for domestic surveillance: That Burr and DiFi watered down Tester?s measures so much makes two things clear. First, they don?t want to count some of the things that will be most important to count to see whether corporations and agencies are abusing this bill. They don?t want to count measures that will reveal if this bill does harm. Most importantly, though, they want to keep this information from Congress. This information would almost certainly not show up to us in unclassified form, it would just be shared with some members of Congress (and on the House side, just be shared with the Intelligence Committee unless someone asks nicely for it). But Richard Burr and Dianne Feinstein want to ensure that Congress doesn?t get that information. Which would suggest they know the information would reveal things Congress might not approve of. Once again, these kinds of actions really only make sense if CISA is being used to justify warrantless domestic surveillance. Which once again raises the question of why Congress is willing to move forward with such a surveillance bill. We just went through a whole process showing that the public is not comfortable with secret laws and secret interpretations that lead to surveillance. Why would they immediately push for a new secret law that expands surveillance and reject any and all attempts at protecting the privacy of the American public or any sort of transparency and accountability in how the bill is used? The bill is positioned as a cybersecurity bill, but good luck finding a single computer security expert who actually thinks the bill is either useful or necessary. I've been trying and so far I can't find any. -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 27 16:26:24 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Oct 2015 17:26:24 -0400 Subject: [Infowarrior] - Senate passes CISA 74-21 /eom Message-ID: -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 27 17:36:45 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Oct 2015 18:36:45 -0400 Subject: [Infowarrior] - Costs for Dementia Care Far Exceeding Other Diseases, Study Finds Message-ID: <1AA6F1BF-221C-4438-9387-4256265997A9@infowarrior.org> Costs for Dementia Care Far Exceeding Other Diseases, Study Finds Gina Kolata http://www.nytimes.com/2015/10/27/health/costs-for-dementia-care-far-exceeding-other-diseases-study-finds.html Three diseases, leading killers of Americans, often involve long periods of decline before death. Two of them ? heart disease and cancer ? usually require expensive drugs, surgeries and hospitalizations. The third, dementia, has no effective treatments to slow its course. So when a group of researchers asked which of these diseases involved the greatest health care costs in the last five years of life, the answer they found might seem surprising. The most expensive, by far, was dementia. The study looked at patients on Medicare. The average total cost of care for a person with dementia over those five years was $287,038. For a patient who died of heart disease it was $175,136. For a cancer patient it was $173,383. Medicare paid almost the same amount for patients with each of those diseases ? close to $100,000 ? but dementia patients had many more expenses that were not covered. On average, the out-of-pocket cost for a patient with dementia was $61,522 ? more than 80 percent higher than the cost for someone with heart disease or cancer. The reason is that dementia patients need caregivers to watch them, help with basic activities like eating, dressing and bathing, and provide constant supervision to make sure they do not wander off or harm themselves. None of those costs were covered by Medicare. For many families, the cost of caring for a dementia patient often ?consumed almost their entire household wealth,? said Dr. Amy S. Kelley, a geriatrician at Icahn School of Medicine at Mt. Sinai in New York and the lead author of the paper published on Monday in the Annals of Internal Medicine. ?It?s stunning that people who start out with the least end up with even less,? said Dr. Kenneth Covinsky, a geriatrician at the University of California in San Francisco. ?It?s scary. And they haven?t even counted some of the costs, like the daughter who gave up time from work and is losing part of her retirement and her children?s college fund.? Dr. Diane E. Meier, a professor of geriatrics and palliative care at Mount Sinai Hospital, said most families are unprepared for the financial burden of dementia, assuming Medicare will pick up most costs. ?What patients and their families don?t realize is that they are on their own,? Dr. Meier said. Everything gets complicated when a person has dementia, noted Dr. Christine K. Cassel, a geriatrician and chief executive of the National Quality Forum. She described a familiar situation: If a dementia patient in a nursing home gets a fever, the staff members say, ?I can?t handle it? and call 911, she said. The patient lands in the hospital. There, patients with dementia tend to have complications ? they get delirious and confused, fall out of bed and break a bone, or they choke on their food. Medical costs soar. To obtain cost estimates, Dr. Kelley and her colleagues used data from the Health and Retirement Survey, a federally funded study that conducts detailed interviews every two years with a nationally representative sample of older people, getting an average response rate of 86 percent. It collects data on participants? incomes, health and needs for care. It includes data on subjects? cognitive functioning and the likelihood that they are demented, and on their total out-of-pocket spending. The survey links to the Medicare database, which provides data on participants? total medical costs, and to the National Death Index. After people die, their families are questioned again about health care spending, including spending on nursing homes and home health care. To estimate the costs of unpaid care ? a daughter who leaves her job to care for a mother with Alzheimer?s disease, for example ? the researchers used $20 an hour, the average for a home health care aide. The reason for the big disparities in out-of-pocket costs for the three diseases, Dr. Kelley said, is that Medicare covers discrete medical services like office visits and acute care such as hospitalization and surgery. Expenses for cancer patients and heart patients tend to be of that sort. They often do not need full-time home or nursing home care until the very end of their life, if at all, so do not have that continuing cost. Dementia patients, in contrast, need constant care for years. They may not be sick enough for a nursing home but cannot be left alone. When they are sick enough for a nursing home, that cost is not covered by health insurance. More than half of patients with dementia ? and three-quarters of those from racial minorities ? spend down, using savings to pay for the nursing home until nothing is left. Then Medicaid, the federal-state program for low-income people, takes over. ?It?s a terribly expensive disease,? said Virginia Benson, whose 91-year-old husband, George, a psychiatrist and psychoanalyst, has Alzheimer?s. Dr. Benson lives in a nursing home in Webster Groves, Mo., because Mrs. Benson can no longer care for him. The first home he lived in cost $6,000 a month. Mrs. Benson found a less expensive one for veterans that cost $2,000 a month. After a two-year wait, he got in. Paying Till It Hurts A series of articles by the New York Times correspondent Elisabeth Rosenthal examines the price of medical care in the United States. In each installment, readers were invited to share their perspectives on managing costs and treatment. Dr. Benson has almost no medical expenses. ?It?s exclusively care costs,? Mrs. Benson said. ?All he needs is to be washed and dressed and fed. I have often felt a little guilty about putting him in care, but they said, ?It takes three shifts of us to take care of him.? ? Nonetheless, she added, ?It breaks my heart, it just breaks my heart.? Nancy Olson, who lives in Franklin, Ind., struggled for years with care arrangements for her mother, who had vascular dementia and died in May. She tried assisted living, tried having her mother at home with part-time caregivers, and finally settled on a nursing home. She spent about $65,000 of her own money and her mother?s in the five years before her mother died. As for her mother?s money, by the time she died, ?it was gone,? Ms. Olson said. John Rakis, a consultant in New York, spent more than $189,000 in less than two years for caregivers and other expenses for his mother-in-law, 92, who has dementia and lives in a housing project in Manhattan. He promised his wife, who died in January 2013, that he would take care of her mother. She left a portion of her life insurance and death benefit money to her mother, and Mr. Rakis spent it on her care. Until it was gone. ?The money ran out in June,? Mr. Rakis said. ?I was losing sleep.? Then he discovered a Medicaid program that covers home health care for disabled people living at the poverty level. Mr. Rakis remains actively involved in his mother-in-law?s care, overseeing her needs, including going with her when she ends up in an emergency room. He speaks regularly to doctors, nurses and social workers from Mount Sinai?s Visiting Doctors Program who make house calls. He has what amounts to a second job taking care of her, despite the full-time home health care aides he pays for. ?We were fortunate,? he said. ?The money was there. But it went pretty quickly.? -- It's better to burn out than fade away. From rforno at infowarrior.org Tue Oct 27 18:27:58 2015 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Oct 2015 19:27:58 -0400 Subject: [Infowarrior] - The Senate, ignorant on cybersecurity, just passed a bill about it anyway Message-ID: <9CDBF560-905D-4487-A523-CEEDDA38388C@infowarrior.org> The Senate, ignorant on cybersecurity, just passed a bill about it anyway Trevor Timm http://www.theguardian.com/commentisfree/2015/oct/27/senate-ignorant-of-cyber-security-just-passed-cisa-bill-anyway Under the vague guise of ?cybersecurity?, the Senate voted Tuesday to pass the Cybersecurity Information Sharing Act (Cisa), a spying bill that essentially carves a giant hole in all our privacy laws and allows tech and telecom companies to hand over all sorts of private information to intelligence agencies without any court process whatsoever. Make no mistake: Congress has passed a surveillance bill in disguise, with no evidence it?ll help our security. All that is needed for companies to hand over huge swaths of information to the government is for it to contain ?cyber threat indicators? ? a vague phrase that can be interpreted to mean pretty much anything. Your personal information ? which can include the content of emails ? will be handed over to the Department of Homeland Security, the agency supposedly responsible for the nation?s cybersecurity. From there the information can be sent along to the NSA, which can add it to databases or use it to conduct even more warrantless searches on its internet backbone spying (which once again, a judge ruled last week could not be challenged in court because no one can prove the NSA is spying on them, since the agency inevitably keeps that information secret). Try asking the bill?s sponsors how the bill will prevent cyberattacks or force companies and governments to improve their defenses. They can?t answer. They will use buzzwords like ?info-sharing? yet will conveniently ignore the fact that companies and the government can already share information with each other as is. There were barely any actual cybersecurity experts who were for the bill. A large group of respected computer scientists and engineers were against it. So were cyberlaw professors. Civil liberties groups uniformly opposed (and were appalled by) the bill. So did consumer groups. So did the vast majority of giant tech companies. Yet it still sailed through the Senate, mostly because lawmakers - many of whom can barely operate their own email - know hardly anything about the technology that they?re crafting legislation about. This is the state of ?cybersecurity? legislation in this country, where lawmakers wanted to do something, but lacking any sort of technical expertise ? or any clue at all what to do ? just decided to cede more power to intelligence agencies like the NSA. The bill, which used to be known as Cispa, has been festering in Congress for years, and now it looks like it will finally head to the President?s desk. Along the way, the Senate decided to reject a handful of common sense privacy amendments that could?ve protected that information. One by one, privacy and transparency amendments that would?ve at least made the bill less awful were voted down on Tuesday. First, they voted down Senator Ron Wyden?s amendment that would?ve forced companies to strip out personally identifiable information before handing data over to the government. They voted down Senator Patrick Leahy?s amendment that would?ve prevented Cisa from carving out a new exemption to the Freedom of Information Act, which will prevent news organizations and others from using the transparency law to find out what types of information companies are handing over to the government. In an era of secret law, where the government has no problem completely re-interpreting laws in complete secrecy to allow mass spying on Americans, we now have another law on the books that carves a hole in our privacy laws, contains vague language that can be interpreted any which way, and that has provisions inserted into it specifically to prevent us from finding out how they?re using it. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 28 15:55:53 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Oct 2015 16:55:53 -0400 Subject: [Infowarrior] - Turns Out Police Stingray Spy Tools Can Indeed Record Calls Message-ID: Turns Out Police Stingray Spy Tools Can Indeed Record Calls Author: Kim Zetter. Kim Zetter Security http://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm/ The federal government has been fighting hard for years hide details about its use of so-called stingray surveillance technology from the public. The surveillance devices simulate cell phone towers in order to trick nearby mobile phones into connecting to them and revealing the phones? locations. Now newly released documents confirm long-held suspicions that the controversial devices are also capable of recording numbers for a mobile phone?s incoming and outgoing calls, as well as intercepting the content of voice and text communications. The documents also discuss the possibility of flashing a phone?s firmware ?so that you can intercept conversations using a suspect?s cell phone as a bug.? The information appears in a 2008 guideline prepared by the Justice Department to advise law enforcement agents on when and how the equipment can be legally used. The Department of Justice ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones 'is an issue of some controversy.' The American Civil Liberties Union of Northern California obtained the documents (.pdf) after a protracted legal battle involving a two-year-old public records request. The documents include not only policy guidelines, but also templates for submitting requests to courts to obtain permission to use the technology. The DoJ ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones ?is an issue of some controversy,? but it doesn?t elaborate on the nature of the controversy. Civil liberties groups have been fighting since 2008 to obtain information about how the government uses the technology, and under what authority. Local law enforcement agencies have used the equipment numerous times in secret without obtaining a warrant and have even deceived courts about the nature of the technology to obtain orders to use it. And they?ve resorted to extreme measures to prevent groups like the ACLU from obtaining documents about the technology. Stingrays go by a number of different names, including cell-site simulator, triggerfish, IMSI-catcher, Wolfpack, Gossamer, and swamp box, according to the documents. They can be used to determine the location of phones, computers using open wireless networks, and PC wireless data cards, also known as air cards. The devices, generally the size of a suitcase, work by emitting a stronger signal than nearby towers in order to force a phone or mobile device to connect to them instead of a legitimate tower. Once a mobile devices connects, the phone reveals its unique device ID, after which the stingray releases the device so that it can connect to a legitimate cell tower, allowing data and voice calls to go through. Assistance from a cell phone carrier isn?t required to use the technology, unless law enforcement doesn?t know the general location of a suspect and needs to pinpoint a geographical area in which to deploy the stingray. Once a phone?s general location is determined, investigators can use a handheld device that provides more pinpoint precision in the location of a phone or mobile device?this includes being able to pinpoint an exact office or apartment where the device is being used. In addition to the device ID, the devices can collect additional information. Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray?not just a targeted phone?and can disrupt regular cell service. ?If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site simulator/triggerfish would include the cellular telephone number (MIN), the call?s incoming or outgoing status, the telephone number dialed, the cellular telephone?s ESN, the date, time, and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected),? the documents note. In order to use the devices, agents are instructed to obtain a pen register/trap and trace court order. Pen registers are traditionally used to obtain phone numbers called and the ?to? field of emails, while trap and trace is used to collect information about received calls and the ?from? information of emails. When using a stingray to identify the specific phone or mobile device a suspect is using, ?collection should be limited to device identifiers,? the DoJ document notes. ?It should not encompass dialed digits, as that would entail surveillance on the calling activity of all persons in the vicinity of the subject.? The documents add, however, that the devices ?may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III order.? Title III is the federal wiretapping law that allows law enforcement, with a court order, to intercept communications in real time. Civil liberties groups have long suspected that some stingrays used by law enforcement have the ability to intercept the content of voice calls and text messages. But law enforcement agencies have insisted that the devices they use are not configured to do so. Another controversial capability involves the ability to block mobile communications, such as in war zones to prevent attackers from using a mobile phone to trigger an explosive, or during political demonstrations to prevent activists from organizing by mobile phone. Stingray devices used by police in London have both of these capabilities, but it?s not known how often or in what capacity they have been used. The documents also note that law enforcement can use the devices without a court order under ?exceptional? circumstances. Most surveillance laws include such provisions to give investigators the ability to conduct rapid surveillance under emergency circumstances, such as when lives are at stake. Investigators are then to apply for a court order within 24 hours after the emergency surveillance begins. But according to the documents, the DoJ considers ?activity characteristic of organized crime? and ?an ongoing attack of a protected computer (one used by a financial institution or U.S. government) where violation is a felony? to be considered an exception, too. In other words, an emergency situation could be a hack involving a financial institution. ?While such crimes are potentially serious, they simply do not justify bypassing the ordinary legal processes that were designed to balance the government?s need to investigate crimes with the public?s right to a government that abides by the law,? Linda Lye, senior staff attorney for the ACLU of Northern California, notes in a blog post about the documents. Another issue of controversy relates to the language that investigators use to describe the stingray technology. Templates for requesting a court order from judges advise the specific terminology investigators should use and never identify the stingray by name. They simply describe the tool as either a pen register/trap and trace device or a device used ?to detect radio signals emitted from wireless cellular telephones in the vicinity of the Subject that identify the telephones.? The ACLU has long accused the government of misleading judges in using the pen register/trap and trace term?since stingrays are primarily used not to identify phone numbers called and received, but to track the location and movement of a mobile device. Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray?not just a targeted phone?and can disrupt regular cell service. It?s not known how quickly stingrays release devices that connect to them, allowing them to then connect to a legitimate cell tower. During the period that devices are connected to a stingray, disruption can occur for anyone in the vicinity of the technology. Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G to get them to connect and reveal their unique ID and location. In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don?t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate. ?Depending on how long the jamming is taking place, there?s going to be disruption,? Chris Soghoian, chief technology for the ACLU has told WIRED previously. ?When your phone goes down to 2G, your data just goes to hell. So at the very least you will have disruption of internet connectivity. And if and when the phones are using the stingray as their only tower, there will likely be an inability to receive or make calls.? Concerns about the use of stingrays is growing. Last March, Senator Bill Nelson (D?Florida) sent a letter to the FCC calling on the agency to disclose information about its certification process for approving stingrays and any other tools with similar functionality. Nelson asked in particular for information about any oversight put in place to make sure that use of the devices complies with the manufacturer?s representations to the FCC about how the technology works and is used. Nelson also raised concerns about their use in a remarkable speech on the Senate floor. The Senator said the technology ?poses a grave threat to consumers? cellphone and Internet privacy,? particularly when law enforcement agencies use them without a warrant. The increased attention prompted the Justice Department this month to release a new federal policy on the use of stingrays, requiring a warrant any time federal investigators use them. The rules, however, don?t apply to local police departments, which are among the most prolific users of the technology and have been using them for years without obtaining a warrant. -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 28 19:48:15 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Oct 2015 20:48:15 -0400 Subject: [Infowarrior] - Sony BMG Rootkit Scandal: 10 Years Later Message-ID: Sony BMG Rootkit Scandal: 10 Years Later http://www.networkworld.com/article/2998251/malware-cybercrime/sony-bmg-rootkit-scandal-10-years-later.html -- It's better to burn out than fade away. From rforno at infowarrior.org Wed Oct 28 19:50:19 2015 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 28 Oct 2015 20:50:19 -0400 Subject: [Infowarrior] - China Unable To Recruit Hackers Fast Enough Message-ID: <73649478-F378-493D-9C67-BEFEB027A70F@infowarrior.org> ;) China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems NEWS IN BRIEF October 26, 2015 Vol 51 Issue 43 News ? Technology ? World ? China BEIJING?Despite devoting countless resources toward rectifying the issue, Chinese government officials announced Monday that the country has struggled to recruit hackers fast enough to keep pace with vulnerabilities in U.S. security systems. ?With new weaknesses in U.S. networks popping up every day, we simply don?t have the manpower to effectively exploit every single loophole in their security protocols,? said security minister Liu Xiang, who confirmed that the thousands of Chinese computer experts employed to expose flaws in American data systems are just no match for the United States? increasingly ineffective digital safeguards. ?We can?t keep track of all of the glaring deficiencies in their firewall protections, let alone hire and train enough hackers to attack each one. And now, they?re failing to address them at a rate that shows no sign of slowing down anytime soon. The gaps in the State Department security systems alone take up almost half my workforce.? At press time, Liu confirmed that an inadequate labor pool had forced China to outsource some of its hacker work to Russia. http://www.theonion.com/article/china-unable-recruit-hackers-fast-enough-keep-vuln-51719 -- It's better to burn out than fade away.